From 4e0e1879efc36ecd21e9682c7c4064e69c52ccb8 Mon Sep 17 00:00:00 2001
From: rwx403335 <renhongxun@huawei.com>
Date: Mon, 13 Jun 2022 17:29:38 +0800
Subject: [PATCH] fix CVE-2022-1927

---
 backport-CVE-2022-1927.patch                  | 123 ++++++++++++++++++
 ...n-search-dose-not-work-in-first-line.patch |  53 ++++++++
 vim.spec                                      |  12 +-
 3 files changed, 186 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2022-1927.patch
 create mode 100644 backport-semicolon-search-dose-not-work-in-first-line.patch

diff --git a/backport-CVE-2022-1927.patch b/backport-CVE-2022-1927.patch
new file mode 100644
index 0000000..f0fb7dd
--- /dev/null
+++ b/backport-CVE-2022-1927.patch
@@ -0,0 +1,123 @@
+From 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 28 May 2022 14:25:35 +0100
+Subject: [PATCH] patch 8.2.5037: cursor position may be invalid after "0;"
+ range
+
+Problem:    Cursor position may be invalid after "0;" range.
+Solution:   Check the cursor position when it was set by ";" in the range.
+---
+ src/ex_docmd.c             | 24 +++++++++++++++++-------
+ src/testdir/test_excmd.vim |  9 +++++++++
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index a5ff463..b552440 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2876,6 +2876,8 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ {
+     int		address_count = 1;
+     linenr_T	lnum;
++    int		need_check_cursor = FALSE;
++    int		ret = FAIL;
+ 
+     // Repeat for all ',' or ';' separated addresses.
+     for (;;)
+@@ -2925,7 +2927,7 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 	lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
+ 					eap->addr_count == 0, address_count++);
+ 	if (eap->cmd == NULL)	// error detected
+-	    return FAIL;
++	    goto theend;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*eap->cmd == '%')   // '%' - all lines
+@@ -2970,14 +2972,14 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 			    // there is no Vim command which uses '%' and
+ 			    // ADDR_WINDOWS or ADDR_TABS
+ 			    *errormsg = _(e_invrange);
+-			    return FAIL;
++			    goto theend;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 		    case ADDR_UNSIGNED:
+ 		    case ADDR_QUICKFIX:
+ 			*errormsg = _(e_invrange);
+-			return FAIL;
++			goto theend;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+ 			    eap->line1 = eap->line2 = 0;
+@@ -3009,7 +3011,7 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 		if (eap->addr_type != ADDR_LINES)
+ 		{
+ 		    *errormsg = _(e_invrange);
+-		    return FAIL;
++		    goto theend;
+ 		}
+ 
+ 		++eap->cmd;
+@@ -3017,11 +3019,11 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line2 = fp->lnum;
+ 		    ++eap->addr_count;
+ 		}
+@@ -3036,10 +3038,13 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 	    if (!eap->skip)
+ 	    {
+ 		curwin->w_cursor.lnum = eap->line2;
++
+ 		// Don't leave the cursor on an illegal line or column, but do
+ 		// accept zero as address, so 0;/PATTERN/ works correctly.
++		// Check the cursor position before returning.
+ 		if (eap->line2 > 0)
+ 		    check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*eap->cmd != ',')
+@@ -3055,7 +3060,12 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 	if (lnum == MAXLNUM)
+ 	    eap->addr_count = 0;
+     }
+-    return OK;
++    ret = OK;
++
++theend:
++    if (need_check_cursor)
++	check_cursor();
++    return ret;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
+index 992fc3d..aafee84 100644
+--- a/src/testdir/test_excmd.vim
++++ b/src/testdir/test_excmd.vim
+@@ -44,3 +44,12 @@ func Test_buffers_lastused()
+   bwipeout bufb
+   bwipeout bufc
+ endfunc
++
++" This was leaving the cursor in line zero
++func Test_using_zero_in_range()
++  new
++  norm o00
++  silent!  0;s/\%')
++  bwipe!
++endfunc
++ 
+-- 
+1.8.3.1
+
diff --git a/backport-semicolon-search-dose-not-work-in-first-line.patch b/backport-semicolon-search-dose-not-work-in-first-line.patch
new file mode 100644
index 0000000..1553db0
--- /dev/null
+++ b/backport-semicolon-search-dose-not-work-in-first-line.patch
@@ -0,0 +1,53 @@
+From 0e71704b77a9891ccae9f5a9c7429e933078f232 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 27 Apr 2020 19:29:01 +0200
+Subject: [PATCH] patch 8.2.0648: semicolon search does not work in first line
+
+Problem:    Semicolon search does not work in first line.
+Solution:   Allow the cursor to be in line zero. (Christian Brabandt,
+            closes #5996)
+---
+ src/ex_docmd.c               |  6 ++++--
+ src/testdir/test_cmdline.vim | 11 +++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 43cd013..ca69c29 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3069,8 +3069,10 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ 	    if (!eap->skip)
+ 	    {
+ 		curwin->w_cursor.lnum = eap->line2;
+-		// don't leave the cursor on an illegal line or column
+-		check_cursor();
++		// Don't leave the cursor on an illegal line or column, but do
++		// accept zero as address, so 0;/PATTERN/ works correctly.
++		if (eap->line2 > 0)
++		    check_cursor();
+ 	    }
+ 	}
+ 	else if (*eap->cmd != ',')
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 7d3c0c8..a547326 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -1471,4 +1471,15 @@ func Test_cmdwin_insert_mode_close()
+   call assert_equal('yes', caught)
+ endfunc
+ 
++" test that ";" works to find a match at the start of the first line
++func Test_zero_line_search()
++  new
++  call setline(1, ["1, pattern", "2, ", "3, pattern"])
++  call cursor(1,1)
++  0;/pattern/d
++  call assert_equal(["2, ", "3, pattern"], getline(1,'$'))
++  q!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
diff --git a/vim.spec b/vim.spec
index 2f744ef..559a1e7 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        37
+Release:        38
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -110,6 +110,8 @@ Patch6073:      backport-CVE-2022-1796.patch
 Patch6074:      backport-patch-8.2.0614-get-ml_get-error-when-deleting-a-line.patch
 Patch6075:      backport-patch-8.2.0670-cannot-change-window-when-evaluating-.patch
 Patch6076:      backport-CVE-2022-1785.patch
+Patch6077:      backport-semicolon-search-dose-not-work-in-first-line.patch
+Patch6078:      backport-CVE-2022-1927.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -498,7 +500,13 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
-* Thu Jun 09 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-36
+* Mon Jun 13 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-38
+- Type:CVE
+- ID:CVE-2022-1927
+- SUG:NA
+- DESC:fix CVE-2022-1927
+
+* Thu Jun 09 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-37
 - Type:CVE
 - ID:CVE-2022-1785
 - SUG:NA
-- 
Gitee