From 63b09b20ef14a09f788daa1ff68c2c4758a93af3 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong@huawei.com>
Date: Sun, 26 Sep 2021 17:36:46 +0800
Subject: [PATCH] fix CVE-2021-3778 CVE-2021-3796

(cherry picked from commit d4716c3ee0cdc291d68f1e0c5b9cd8308c0d7ce7)
---
 backport-CVE-2021-3778.patch | 46 +++++++++++++++++++++++++
 backport-CVE-2021-3796.patch | 67 ++++++++++++++++++++++++++++++++++++
 vim.spec                     | 10 +++++-
 3 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-3778.patch
 create mode 100644 backport-CVE-2021-3796.patch

diff --git a/backport-CVE-2021-3778.patch b/backport-CVE-2021-3778.patch
new file mode 100644
index 0000000..e1ef68a
--- /dev/null
+++ b/backport-CVE-2021-3778.patch
@@ -0,0 +1,46 @@
+From 65b605665997fad54ef39a93199e305af2fe4d7f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 7 Sep 2021 19:26:53 +0200
+Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8
+ character
+
+Problem:    Reading beyond end of line with invalid utf-8 character.
+Solution:   Check for NUL when advancing.
+---
+ src/regexp_nfa.c                 | 3 ++-
+ src/testdir/test_regexp_utf8.vim | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
+index fb512f9..bc4a4b6 100644
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -5455,7 +5455,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
+ 		match = FALSE;
+ 		break;
+ 	    }
+-	    len2 += MB_CHAR2LEN(c2);
++	    len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
++							     : MB_CHAR2LEN(c2);
+ 	}
+ 	if (match
+ 		// check that no composing char follows
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 19ff882..6d0ce59 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -215,3 +215,11 @@ func Test_optmatch_toolong()
+   set re=0
+ endfunc
+ 
++func Test_match_invalid_byte()
++  call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
++  new
++  source Xinvalid
++  bwipe!
++  call delete('Xinvalid')
++endfunc
++
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2021-3796.patch b/backport-CVE-2021-3796.patch
new file mode 100644
index 0000000..654b4e5
--- /dev/null
+++ b/backport-CVE-2021-3796.patch
@@ -0,0 +1,67 @@
+From 35a9a00afcb20897d462a766793ff45534810dc3 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 11 Sep 2021 21:14:20 +0200
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem:    Using freed memory when replacing. (Dhiraj Mishra)
+Solution:   Get the line pointer after calling ins_copychar().
+---
+ src/normal.c              | 10 +++++++---
+ src/testdir/test_edit.vim | 13 +++++++++++++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e6..d6333b9 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+ 	    {
+ 		/*
+ 		 * Get ptr again, because u_save and/or showmatch() will have
+-		 * released the line.  At the same time we let know that the
+-		 * line will be changed.
++		 * released the line.  This may also happen in ins_copychar().
++		 * At the same time we let know that the line will be changed.
+ 		 */
+-		ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ 		{
+ 		  int c = ins_copychar(curwin->w_cursor.lnum
+ 					   + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++		  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		  if (c != NUL)
+ 		    ptr[curwin->w_cursor.col] = c;
+ 		}
+ 		else
++		{
++		    ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		    ptr[curwin->w_cursor.col] = cap->nchar;
++		}
+ 		if (p_sm && msg_silent == 0)
+ 		    showmatch(cap->nchar);
+ 		++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 4e29e7f..c3b1af5 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1519,3 +1519,16 @@ func Test_edit_noesckeys()
+   bwipe!
+   set esckeys
+ endfunc
++
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++  set encoding=latin1
++  new
++  let @" = ''
++  sil! norm orggRx
++  sil! norm pr
++  call assert_equal(['r', 'r'], getline(1, 2))
++  bwipe!
++  set encoding=utf-8
++endfunc
++
+-- 
+1.8.3.1
+
diff --git a/vim.spec b/vim.spec
index a1ef4ea..ae368fa 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        10
+Release:        11
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -38,6 +38,8 @@ Patch6000:      backport-Configure-does-not-recognize-gcc-10.0-and-later.patch
 Patch6001:      backport-8.2.2550-signal-stack-size-is-wrong-with-lates.patch
 Patch6002:      backport-CVE-2021-3770.patch
 Patch6003:      backport-memory-leak-for-retab-with-invalid-argument.patch
+Patch6004:      backport-CVE-2021-3778.patch
+Patch6005:      backport-CVE-2021-3796.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -426,6 +428,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
+- Type:CVE
+- ID:CVE-2021-3778 CVE-2021-3796
+- SUG:NA
+- DESC:fix CVE-2021-3778 CVE-2021-3796
+
 * Sat Sep 11 2021 shixuantong<shixuantong@huawei> - 2:8.2-10
 - Type:CVE
 - ID:NA
-- 
Gitee