From 987cbee818b1d65aa3e20a4b6abd517027c0771a Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong@h-partners.com>
Date: Tue, 2 Aug 2022 14:18:35 +0800
Subject: [PATCH] fix CVE-2022-2598 CVE-2022-2571

---
 backport-CVE-2022-2571.patch | 47 +++++++++++++++++++++++++
 backport-CVE-2022-2598.patch | 66 ++++++++++++++++++++++++++++++++++++
 vim.spec                     | 10 +++++-
 3 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-2571.patch
 create mode 100644 backport-CVE-2022-2598.patch

diff --git a/backport-CVE-2022-2571.patch b/backport-CVE-2022-2571.patch
new file mode 100644
index 0000000..6a85772
--- /dev/null
+++ b/backport-CVE-2022-2571.patch
@@ -0,0 +1,47 @@
+From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jul 2022 21:51:37 +0100
+Subject: [PATCH] patch 9.0.0102: reading past end of line with insert
+mode
+ completion
+
+Problem:    Reading past end of line with insert mode completion.
+Solution:   Check text length.
+---
+ src/insexpand.c                   | 2 +-
+ src/testdir/test_ins_complete.vim | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index 88dbac6..a23d2d6 100644
+--- a/src/insexpand.c
++++ b/src/insexpand.c
+@@ -2998,7 +2998,7 @@ ins_compl_get_exp(pos_T *ini)
+ 		{
+ 		    char_u	*tmp_ptr = ptr;
+ 
+-		    if (compl_cont_status & CONT_ADDING)
++		    if (compl_cont_status & CONT_ADDING && compl_length <= (int)STRLEN(tmp_ptr))
+ 		    {
+ 			tmp_ptr += compl_length;
+ 			// Skip if already inside a word.
+diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
+index 5e7353c..39ece18 100644
+--- a/src/testdir/test_ins_complete.vim
++++ b/src/testdir/test_ins_complete.vim
+@@ -418,3 +418,12 @@ func Test_infercase_very_long_line()
+   bwipe!
+   set noic noinfercase
+ endfunc
++
++func Test_ins_complete_end_of_line()
++  " this was reading past the end of the line
++  new  
++  norm 8oý 
++  sil! norm o
++
++  bwipe!
++endfunc
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-2598.patch b/backport-CVE-2022-2598.patch
new file mode 100644
index 0000000..a765d8e
--- /dev/null
+++ b/backport-CVE-2022-2598.patch
@@ -0,0 +1,66 @@
+From 4e677b9c40ccbc5f090971b31dc2fe07bf05541d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 28 Jul 2022 18:44:27 +0100
+Subject: [PATCH] patch 9.0.0101: invalid memory access in diff mode with
+"dp"
+ and undo
+
+Problem:    Invalid memory access in diff mode with "dp" and undo.
+Solution:   Make sure the line number does not go below one.
+---
+ src/diff.c                    |  9 ++++++---
+ src/testdir/test_diffmode.vim | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/diff.c b/src/diff.c
+index 2801c67..5328000 100644
+--- a/src/diff.c
++++ b/src/diff.c
+@@ -452,7 +452,10 @@ diff_mark_adjust_tp(
+ 		    for (i = 0; i < DB_COUNT; ++i)
+ 			if (tp->tp_diffbuf[i] != NULL && i != idx)
+ 			{
+-			    dp->df_lnum[i] -= off;
++			    if (dp->df_lnum[i] > off)
++				dp->df_lnum[i] -= off;
++			    else
++				dp->df_lnum[i] = 1;
+ 			    dp->df_count[i] += n;
+ 			}
+ 		}
+@@ -2781,8 +2784,8 @@ ex_diffgetput(exarg_T *eap)
+ 	    {
+ 		// remember deleting the last line of the buffer
+ 		buf_empty = curbuf->b_ml.ml_line_count == 1;
+-		ml_delete(lnum, FALSE);
+-		--added;
++		if (ml_delete(lnum, FALSE) == OK)
++		    --added;
+ 	    }
+ 	    for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
+ 	    {
+diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
+index a75d0e5..d3b8f6c 100644
+--- a/src/testdir/test_diffmode.vim
++++ b/src/testdir/test_diffmode.vim
+@@ -852,3 +852,17 @@ func Test_diff_manipulations()
+   set nodiff
+   %bwipe!
+ endfunc
++
++" This was causing the line number in the diff block to go below one.
++" FIXME: somehow this causes a valgrind error when run directly but not when
++" run as a test.
++func Test_diff_put_and_undo()
++  set diff
++  next 0
++  split 00
++  sil! norm o0gguudpo0ggJuudp
++
++  bwipe!
++  bwipe!
++  set nodiff
++endfunc
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index a9165bc..498f301 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        56
+Release:        57
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -160,6 +160,8 @@ Patch6123:      backport-CVE-2022-2343.patch
 Patch6124:      backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch
 Patch6125:      backport-CVE-2022-2522.patch
 Patch6126:      backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch
+Patch6127:      backport-CVE-2022-2598.patch
+Patch6128:      backport-CVE-2022-2571.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -548,6 +550,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Aug 02 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-57
+- Type:CVE
+- ID:CVE-2022-2598 CVE-2022-2571
+- SUG:NA
+- DESC:fix CVE-2022-2598 CVE-2022-2571
+
 * Mon Aug 01 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-56
 - Type:CVE
 - ID:CVE-2022-2522
-- 
Gitee