From c329393df9a11689644d58126092a60e46e55b09 Mon Sep 17 00:00:00 2001
From: xinyingchao <yuanxin24@h-partners.com>
Date: Sat, 5 Mar 2022 10:25:47 +0800
Subject: [PATCH] fix CVE-2022-0714 CVE-2022-0729

---
 backport-CVE-2022-0714.patch | 51 ++++++++++++++++++++++++++++++++++++
 backport-CVE-2022-0729.patch | 47 +++++++++++++++++++++++++++++++++
 vim.spec                     | 10 ++++++-
 3 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0714.patch
 create mode 100644 backport-CVE-2022-0729.patch

diff --git a/backport-CVE-2022-0714.patch b/backport-CVE-2022-0714.patch
new file mode 100644
index 0000000..e73192a
--- /dev/null
+++ b/backport-CVE-2022-0714.patch
@@ -0,0 +1,51 @@
+From 4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 21 Feb 2022 19:36:12 +0000
+Subject: [PATCH] patch 8.2.4436: crash with weird 'vartabstop' value
+
+Problem:    Crash with weird 'vartabstop' value.
+Solution:   Check for running into the end of the line.
+
+---
+ src/indent.c                 |  2 ++
+ src/testdir/test_vartabs.vim | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/indent.c b/src/indent.c
+index 075802c..6b8900f 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1279,6 +1279,8 @@ change_indent(
+ 		new_cursor_col += (*mb_ptr2len)(ptr + new_cursor_col);
+ 	    else
+ 		++new_cursor_col;
++	    if (ptr[new_cursor_col] == NUL)
++		break;
+ 	    vcol += lbr_chartabsize(ptr, ptr + new_cursor_col, (colnr_T)vcol);
+ 	}
+ 	vcol = last_vcol;
+diff --git a/src/testdir/test_vartabs.vim b/src/testdir/test_vartabs.vim
+index 47844fb..c2919d8 100644
+--- a/src/testdir/test_vartabs.vim
++++ b/src/testdir/test_vartabs.vim
+@@ -378,3 +378,17 @@ func Test_vartabs_reset()
+   set all&
+   call assert_equal('', &vts)
+ endfunc
++
++func Test_vartabstop_latin1()
++  let save_encoding = &encoding
++  new
++  set encoding=iso8859
++  silent norm :se 

++  set vartabstop=400
++  norm i00	
++  bwipe!
++  let &encoding = save_encoding
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-0729.patch b/backport-CVE-2022-0729.patch
new file mode 100644
index 0000000..fb2ec58
--- /dev/null
+++ b/backport-CVE-2022-0729.patch
@@ -0,0 +1,47 @@
+From 6456fae9ba8e72c74b2c0c499eaf09974604ff30 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 22 Feb 2022 13:37:31 +0000
+Subject: [PATCH] patch 8.2.4440: crash with specific regexp pattern and string
+
+Problem:    Crash with specific regexp pattern and string.
+Solution:   Stop at the start of the string.
+
+---
+ src/regexp_bt.c                  | 5 +++++
+ src/testdir/test_regexp_utf8.vim | 7 +++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/regexp_bt.c b/src/regexp_bt.c
+index b71b862..e017ba5 100644
+--- a/src/regexp_bt.c
++++ b/src/regexp_bt.c
+@@ -4431,6 +4431,11 @@ regmatch(
+ 			    if (rex.input == rex.line)
+ 			    {
+ 				// backup to last char of previous line
++				if (rex.lnum == 0)
++				{
++				    status = RA_NOMATCH;
++				    break;
++				}
+ 				--rex.lnum;
+ 				rex.line = reg_getline(rex.lnum);
+ 				// Just in case regrepeat() didn't count
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 6d0ce59..5d1bd47 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -223,3 +223,10 @@ func Test_match_invalid_byte()
+   call delete('Xinvalid')
+ endfunc
+ 
++func Test_match_too_complicated()
++  set regexpengine=1
++  exe "vsplit \xeb\xdb\x99"
++  silent! buf \&\zs*\zs*0
++  bwipe!
++  set regexpengine=0
++endfunc
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index 1de7691..d865a4e 100644
--- a/vim.spec
+++ b/vim.spec
@@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        20
+Release:        21
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -78,6 +78,8 @@ Patch6044:      backport-CVE-2022-0554.patch
 Patch6045:      backport-crash-when-pasting-too-many-times.patch
 Patch6046:      backport-CVE-2022-0572.patch
 Patch6047:      backport-CVE-2022-0629.patch
+Patch6048:      backport-CVE-2022-0714.patch
+Patch6049:      backport-CVE-2022-0729.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@@ -480,6 +482,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sat Mar 05 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-21
+- Type:CVE
+- ID:CVE-2022-0714CVE-2022-0729
+- SUG:NA
+- DESC:fix CVE-2022-0714 CVE-2022-0729
+
 * Mon Feb 28 2022 yuanxin <yuanxin24@h-partners.com> - 2:8.2-20
 - Type:CVE
 - ID:CVE-2022-0629
-- 
Gitee