From 73ab23dccaaa4b217c84c483671dc20ee0200bb7 Mon Sep 17 00:00:00 2001
From: huangduirong <huangduirong@huawei.com>
Date: Sat, 26 Feb 2022 15:39:05 +0800
Subject: [PATCH] Fix CVE-2022-0572

---
 backport-CVE-2022-0572.patch                  | 66 ++++++++++++++++++
 ...rt-crash-when-pasting-too-many-times.patch | 67 +++++++++++++++++++
 vim.spec                                      | 10 ++-
 3 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0572.patch
 create mode 100644 backport-crash-when-pasting-too-many-times.patch

diff --git a/backport-CVE-2022-0572.patch b/backport-CVE-2022-0572.patch
new file mode 100644
index 0000000..429ba09
--- /dev/null
+++ b/backport-CVE-2022-0572.patch
@@ -0,0 +1,66 @@
+From 6e28703a8e41f775f64e442c5d11ce1ff599aa3f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 12 Feb 2022 15:42:18 +0000
+Subject: [PATCH] patch 8.2.4359: crash when repeatedly using :retab
+
+Problem:    crash when repeatedly using :retab.
+Solution:   Bail out when the line is getting too long.
+---
+ src/indent.c               |  5 +++++
+ src/testdir/test_retab.vim | 20 ++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/indent.c b/src/indent.c
+index e8e93b9..075802c 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1689,6 +1689,11 @@ ex_retab(exarg_T *eap)
+ 	    if (ptr[col] == NUL)
+ 		break;
+ 	    vcol += chartabsize(ptr + col, (colnr_T)vcol);
++	    if (vcol >= MAXCOL)
++	    {
++		emsg(_(e_resulting_text_too_long));
++		break;
++	    }
+ 	    if (has_mbyte)
+ 		col += (*mb_ptr2len)(ptr + col);
+ 	    else
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index e7b8946..5376f92 100644
+--- a/src/testdir/test_retab.vim
++++ b/src/testdir/test_retab.vim
+@@ -69,6 +69,8 @@ func Test_retab()
+   call assert_equal("    a       b        c    ",         Retab('!', 3))
+   call assert_equal("    a       b        c    ",         Retab('',  5))
+   call assert_equal("    a       b        c    ",         Retab('!', 5))
++
++  set tabstop& expandtab&
+ endfunc
+ 
+ func Test_retab_error()
+@@ -78,3 +80,21 @@ func Test_retab_error()
+   call assert_fails('ret 10000', 'E475:')
+   call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
++
++func Test_retab_endless()
++  new
++  call setline(1, "\t0\t")
++  let caught = 'no'
++  try
++    while 1
++      set ts=4000
++      retab 4
++    endwhile
++  catch /E1240/
++    let caught = 'yes'
++  endtry
++  bwipe!
++  set tabstop&
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
diff --git a/backport-crash-when-pasting-too-many-times.patch b/backport-crash-when-pasting-too-many-times.patch
new file mode 100644
index 0000000..ffc2f8b
--- /dev/null
+++ b/backport-crash-when-pasting-too-many-times.patch
@@ -0,0 +1,67 @@
+From eeed1c7ae090c17f4df51cf97b2a9e4d8b4f4dc7 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 10 Oct 2021 12:35:17 +0100
+Subject: [PATCH] patch 8.2.3492: crash when pasting too many times
+
+Problem:    Crash when pasting too many times.
+Solution:   Limit the size to what fits in an int. (closes #8962)
+
+---
+ src/globals.h            |  1 +
+ src/register.c           | 11 +++++++++--
+ src/testdir/test_put.vim |  8 ++++++++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/globals.h b/src/globals.h
+index fee8c7f..7be3bfd 100644
+--- a/src/globals.h
++++ b/src/globals.h
+@@ -1659,6 +1659,7 @@ EXTERN char e_menuothermode[]	INIT(= N_("E328: Menu only exists in another mode"
+ #endif
+ EXTERN char e_invalwindow[]	INIT(= N_("E957: Invalid window number"));
+ EXTERN char e_listarg[]		INIT(= N_("E686: Argument of %s must be a List"));
++EXTERN char e_resulting_text_too_long[]		INIT(= N_("E1240: Resulting text too long"));
+ 
+ #ifdef FEAT_GUI_MAC
+ EXTERN short disallow_gui	INIT(= FALSE);
+diff --git a/src/register.c b/src/register.c
+index 24e4b99..bab27fe 100644
+--- a/src/register.c
++++ b/src/register.c
+@@ -1908,8 +1908,15 @@ do_put(
+ 	    }
+ 
+ 	    do {
+-		totlen = count * yanklen;
+-		if (totlen > 0)
++		long multlen = count * yanklen;
++
++		totlen = multlen;
++		if (totlen != multlen)
++		{
++		    emsg(_(e_resulting_text_too_long));
++		    break;
++		}
++		else if (totlen > 0)
+ 		{
+ 		    oldp = ml_get(lnum);
+ 		    if (VIsual_active && col > (int)STRLEN(oldp))
+diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
+index f5037dc..42bb7e6 100644
+--- a/src/testdir/test_put.vim
++++ b/src/testdir/test_put.vim
+@@ -122,3 +122,11 @@ func Test_put_above_first_line()
+   call assert_equal('text', getline(1))
+   bwipe!
+ endfunc
++
++func Test_very_larg_count()
++  new
++  let @" = 'x'
++  call assert_fails('norm 44444444444444p', 'E1240:')
++  bwipe!
++endfunc
++
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index bfffe2a..f5963f5 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        23
+Release:        24
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -83,6 +83,8 @@ Patch6046:      backport-CVE-2022-0443.patch
 Patch6047:      backport-CVE-2022-0392.patch
 Patch6048:      backport-invalid-argument-errmsg.patch
 Patch6049:      backport-CVE-2022-0417.patch
+Patch6050:      backport-crash-when-pasting-too-many-times.patch
+Patch6051:      backport-CVE-2022-0572.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -471,6 +473,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sat Feb 26 2022 huangduirong <huangduirong@huawei.com> - 2:8.2-24
+- Type:CVE
+- ID:CVE-2022-0572
+- SUG:NA
+- DESC:fix CVE-2022-0572
+
 * Wed Feb 09 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-23
 - Type:CVE
 - ID:CVE-2022-0443 CVE-2022-0392 CVE-2022-0417
-- 
Gitee