diff --git a/backport-CVE-2022-1720.patch b/backport-CVE-2022-1720.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7a059119dfe39af3191772ad31cce23c5f1fc693
--- /dev/null
+++ b/backport-CVE-2022-1720.patch
@@ -0,0 +1,66 @@
+From 395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab93c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 14 May 2022 21:29:44 +0100
+Subject: [PATCH] patch 8.2.4956: reading past end of line with "gf" in Visual
+ block mode
+
+Problem:    Reading past end of line with "gf" in Visual block mode.
+Solution:   Do not include the NUL in the length.
+---
+ src/normal.c            | 13 ++++++++++---
+ src/testdir/test_gf.vim | 15 +++++++++++++++
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index d33a56a..898c836 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -3791,9 +3791,16 @@ get_visual_text(
+ 	}
+ 	if (**pp == NUL)
+ 	    *lenp = 0;
+-	if (has_mbyte && *lenp > 0)
+-	    // Correct the length to include all bytes of the last character.
+-	    *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
++	if (*lenp > 0)
++	{
++	    if (has_mbyte)
++		// Correct the length to include all bytes of the last
++		// character.
++		*lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
++	    else if ((*pp)[*lenp - 1] == NUL)
++		// Do not include a trailing NUL.
++		*lenp -= 1;
++	}
+     }
+     reset_VIsual_and_resel();
+     return OK;
+diff --git a/src/testdir/test_gf.vim b/src/testdir/test_gf.vim
+index d301874..596f3e8 100644
+--- a/src/testdir/test_gf.vim
++++ b/src/testdir/test_gf.vim
+@@ -106,6 +106,21 @@ func Test_gf_visual()
+   call setline(1, 'XXXtest_gf_visualXXX')
+   set hidden
+ 
++  " do not include the NUL at the end 
++  call writefile(['x'], 'X')
++  let save_enc = &enc
++  for enc in ['latin1', 'utf-8']
++    exe "set enc=" .. enc
++    new
++    call setline(1, 'X')
++    set nomodified
++    exe "normal \<C-V>$gf"
++    call assert_equal('X', bufname())
++    bwipe!
++  endfor
++  let &enc = save_enc
++  call delete('X')
++
+   " Visually select Xtest_gf_visual and use gf to go to that file
+   norm! ttvtXgf
+   call assert_equal('Xtest_gf_visual', bufname('%'))
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2022-2183.patch b/backport-CVE-2022-2183.patch
new file mode 100644
index 0000000000000000000000000000000000000000..03ddcc48e0638fe5544c181959105f22c78490a4
--- /dev/null
+++ b/backport-CVE-2022-2183.patch
@@ -0,0 +1,59 @@
+From 8eba2bd291b347e3008aa9e565652d51ad638cfa Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 Jun 2022 19:59:28 +0100
+Subject: [PATCH] patch 8.2.5151: reading beyond the end of the line with lisp
+ indenting
+
+Problem:    Reading beyond the end of the line with lisp indenting.
+Solution:   Avoid going over the NUL at the end of the line.
+---
+ src/indent.c                   |  7 +++++--
+ src/testdir/test_lispwords.vim | 12 +++++++++++-
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/indent.c b/src/indent.c
+index 2d07e2e..a58d6ea 100644
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1967,8 +1967,11 @@ get_lisp_indent(void)
+ 		    amount += 2;
+ 		else
+ 		{
+-		    that++;
+-		    amount++;
++		    if (*that != NUL)
++		    {
++			that++;
++			amount++;
++		    }
+ 		    firsttry = amount;
+ 
+ 		    while (VIM_ISWHITE(*that))
+diff --git a/src/testdir/test_lispwords.vim b/src/testdir/test_lispwords.vim
+index ff710b2..4144fb0 100644
+--- a/src/testdir/test_lispwords.vim
++++ b/src/testdir/test_lispwords.vim
+@@ -1,4 +1,5 @@
+-" Tests for 'lispwords' settings being global-local
++" Tests for 'lispwords' settings being global-local.
++" And  other lisp indent stuff.
+ 
+ set nocompatible viminfo+=nviminfo
+ 
+@@ -85,4 +86,13 @@ func Test_lisp_indent()
+   set nolisp
+ endfunc
+ 
++func Test_lisp_indent_works()
++  " This was reading beyond the end of the line
++  new
++  exe "norm a\tü(\<CR>="
++  set lisp
++  norm ==
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index 819a0d4a96548ee82c41edcb88a5fd7017d15ab3..262d34346cf902e7b60c14c468cee88fd8169e1a 100644
--- a/vim.spec
+++ b/vim.spec
@@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        39
+Release:        40
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -121,6 +121,8 @@ Patch6087:      backport-patch-8.2.0358-insufficient-testing-for-indent.c.patch
 Patch6088:      backport-CVE-2022-2125.patch
 Patch6089:      backport-CVE-2022-2206.patch
 Patch6090:      backport-patch-8.2.5161-might-still-access-invalid-memory.patch
+Patch6091:      backport-CVE-2022-1720.patch
+Patch6092:      backport-CVE-2022-2183.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@@ -523,6 +525,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Jul 05 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-40
+- Type:CVE
+- ID:CVE-2022-1720,CVE-2022-2183
+- SUG:NA
+- DESC:fix CVE-2022-1720,CVE-2022-2183
+
 * Tue Jul 05 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-39
 - Type:CVE
 - ID:CVE-2022-2125,CVE-2022-2206