From 854e3378fb6aeb2e2e6b70a98475e579fcfb9f0d Mon Sep 17 00:00:00 2001
From: rwx403335 <renhongxun@huawei.com>
Date: Tue, 28 Jun 2022 16:12:21 +0800
Subject: [PATCH] Fix CVE-2022-2175

---
 backport-CVE-2022-2175.patch                  | 68 +++++++++++++++++++
 ...annot-build-without-the-eval-feature.patch | 48 +++++++++++++
 vim.spec                                      | 10 ++-
 3 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-2175.patch
 create mode 100644 backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch

diff --git a/backport-CVE-2022-2175.patch b/backport-CVE-2022-2175.patch
new file mode 100644
index 0000000..a4d225c
--- /dev/null
+++ b/backport-CVE-2022-2175.patch
@@ -0,0 +1,68 @@
+From 6046aded8da002b08d380db29de2ba0268b6616e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 Jun 2022 13:51:54 +0100
+Subject: [PATCH] patch 8.2.5148: invalid memory access when using expression
+ on command line
+
+Problem:    Invalid memory access when using an expression on the command line.
+Solution:   Make sure the position does not go negative.
+---
+ src/ex_getln.c               | 6 ++++--
+ src/testdir/test_cmdline.vim | 5 +++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index aa01f80..887b47d 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -820,6 +820,7 @@ getcmdline_int(
+     cmdline_info_T save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
++    int		save_new_cmdpos;
+ 
+     // one recursion level deeper
+     ++depth;
+@@ -1757,6 +1758,7 @@ getcmdline_int(
+ 		goto returncmd;		// back to cmd mode
+ 
+ 	case Ctrl_R:			// insert register
++		save_new_cmdpos = new_cmdpos;
+ #ifdef USE_ON_FLY_SCROLL
+ 		dont_scroll = TRUE;	// disallow scrolling here
+ #endif
+@@ -1774,8 +1776,6 @@ getcmdline_int(
+ #ifdef FEAT_EVAL
+ 		/*
+ 		 * Insert the result of an expression.
+-		 * Need to save the current command line, to be able to enter
+-		 * a new one...
+ 		 */
+ 		new_cmdpos = -1;
+ 		if (c == '=')
+@@ -1816,6 +1816,8 @@ getcmdline_int(
+ 		    }
+ #endif
+ 		}
++		new_cmdpos = save_new_cmdpos;
++
+ 		redrawcmd();
+ 		goto cmdline_changed;
+ 
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 4665c75..2588a0d 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -925,4 +925,9 @@ func Test_recursive_register()
+   call assert_equal('yes', caught)
+ endfunc
+ 
++" This was making the insert position negative
++func Test_cmdline_expr_register()
++  exe "sil! norm! ?\<C-\>e0\<C-R>0\<Esc>?\<C-\>e0\<CR>"
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+
diff --git a/backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch b/backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch
new file mode 100644
index 0000000..69ba91e
--- /dev/null
+++ b/backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch
@@ -0,0 +1,48 @@
+From 6689df024bce4309ec5884e445738fe07ee4ffcc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 Jun 2022 18:14:29 +0100
+Subject: [PATCH] patch 8.2.5149: cannot build without the +eval feature
+
+Problem:    Cannot build without the +eval feature. (Tony Mechelynck)
+Solution:   Add #ifdefs.
+---
+ src/ex_getln.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 887b47d..8383eee 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -820,7 +820,9 @@ getcmdline_int(
+     cmdline_info_T save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
++#ifdef FEAT_EVAL
+     int		save_new_cmdpos;
++#endif
+ 
+     // one recursion level deeper
+     ++depth;
+@@ -1758,7 +1760,9 @@ getcmdline_int(
+ 		goto returncmd;		// back to cmd mode
+ 
+ 	case Ctrl_R:			// insert register
++#ifdef FEAT_EVAL
+ 		save_new_cmdpos = new_cmdpos;
++#endif
+ #ifdef USE_ON_FLY_SCROLL
+ 		dont_scroll = TRUE;	// disallow scrolling here
+ #endif
+@@ -1816,7 +1820,9 @@ getcmdline_int(
+ 		    }
+ #endif
+ 		}
++#ifdef FEAT_EVAL
+ 		new_cmdpos = save_new_cmdpos;
++#endif
+ 
+ 		redrawcmd();
+ 		goto cmdline_changed;
+-- 
+1.8.3.1
+
diff --git a/vim.spec b/vim.spec
index 552e727..9d25a13 100644
--- a/vim.spec
+++ b/vim.spec
@@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        36
+Release:        37
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -111,6 +111,8 @@ Patch6077:      backport-CVE-2022-1897.patch
 Patch6078:      backport-CVE-2022-1968.patch
 Patch6079:      backport-CVE-2022-1771.patch
 Patch6080:      backport-CVE-2022-2124.patch
+Patch6081:      backport-CVE-2022-2175.patch
+Patch6082:      backport-patch-8.2.5149-cannot-build-without-the-eval-feature.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@@ -513,6 +515,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Jun 28 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-37
+- Type:CVE
+- ID:CVE-2022-2175
+- SUG:NA
+- DESC:fix CVE-2022-2175
+
 * Thu Jun 23 2022 liukuo <liukuo@kylinos.cn> - 2:8.2-36
 - Type:CVE
 - ID:CVE-2022-2124
-- 
Gitee