From 7b4348e2011970c47ca4e2c7065e1884feeb1605 Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Wed, 17 Aug 2022 11:01:21 +0800
Subject: [PATCH] fix CVE-2022-2580 CVE-2022-2581

---
 backport-CVE-2022-2580.patch | Bin 0 -> 1713 bytes
 backport-CVE-2022-2581.patch |  65 +++++++++++++++++++++++++++++++++++
 vim.spec                     |  10 +++++-
 3 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-2580.patch
 create mode 100644 backport-CVE-2022-2581.patch

diff --git a/backport-CVE-2022-2580.patch b/backport-CVE-2022-2580.patch
new file mode 100644
index 0000000000000000000000000000000000000000..06e36bd5468e3a457932d6e68562f0876376422f
GIT binary patch
literal 1713
zcmah~ZF1s95Y1of0{Q!vN(?qgNCISFZOX~+dgJ&buHgLG+H9!?X#~oO8P#aOOPQ_8
zX>x>IAUDZL(ldbVq_$!eXqZ-aPxpJT#hH?G1iTkbQa13reKv@~-X!4>k0O82=_mb8
zH|ZroZ{i=NxRL^6ULrVx?+@(<q3;LI8KoKGd&TDDBMUAVQ#dyJ(`7#Qq?(SL*G%&v
z&Q#t)IKYpKf<nU(L2nrLhv5;Le&GAgcrp2nCwhqYH{ad9`hm^~+CkX)fRgEChJojM
z<kuZyDswT#gs-GX!HPmAlt0Cs&!t-7ZpMWJzGTIMY2#RFWtK#WN;9Dy=SIm%!KrGx
z-aeb_e^PnQSQZPNOJQ<R+LEhch3aEoLM}PsaKTq2WKzvN$8}u?l}g&0S31p=U1L*c
zT<JxYc?1{MKo3oGZGBfIIe3XF^}p8|LAdd?0VX6wmKVH2GGk)O)0Uwt7Zq2g#;Vag
zaGW&HGPv$E*I@1E%9%Xp;p8IapU_EysGo(NmqZ=EA94_%QMYS)e*P4P%E$93ou0yt
zf}>U!O|uL@hHN1c+!CJgTvB5>Ph)Cb#X`osN?6I`s^m$|ipGIM@QH<(vl7Qw?%%)v
zF(Q$O)MRkrG#@i<88MoPbFoVhf8;Al(gbSIv%JC`tFWkyu=I?heqT30=PAeW2=vGp
zNp4C*W?+IIYOYFISfy?hX_8e$m(VZ3lbM8nAGqJtemx$$?)~U%u@-;*`R!Lub5|wt
zTLXz?h-#K+`YuoP>?EX9D!TJeB@?M;lP?gw)6f><?RHBY3!|vh@jb6Ui3TjqzChhB
z;0aGVlOZMa2Y!o&*sg))<q3ujOUMF;hfGad&^9u@#i8O_FIxtf-GuSY?g>=H+Mbbp
zyA3TdFuGPOAtWm_A~RPOXJaLdQ*^9}VJil8Fno+xoW@{Dq?9b-)~`pPX~n#)PoAN1
zSmNXa_2W7*Z4bVub&m?#+uP-=a0373gE=eM)R@l37xBfLcdveW{f36v?9Q*_@$Jv&
z*Kf(0j@Yw@p?QLyF;H4+YHZ#V)R~pgsBV6;rOeZ<vYx2Q^tzLc4Sht3M%%OXPy^-r
z-~(Pz3x~D^+ry^B^`^%0`PI$k`PsWo2NaRf1piCq`(+FJ58bw4!&|ui<?`~tr1lLq
zHnHoLFD*9(XM}96tbzU|OfR)jjhqZ~pQ&~8<weC|AbzZyV}Jhva+;s@8e9B7*AEQy
Q_w@dN6L@{E;{}fM5B+EdEC2ui

literal 0
HcmV?d00001

diff --git a/backport-CVE-2022-2581.patch b/backport-CVE-2022-2581.patch
new file mode 100644
index 0000000..a6fe237
--- /dev/null
+++ b/backport-CVE-2022-2581.patch
@@ -0,0 +1,65 @@
+From f50940531dd57135fe60aa393ac9d3281f352d88 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 29 Jul 2022 16:22:25 +0100
+Subject: [PATCH 002/123] patch 9.0.0105: illegal memory access when pattern
+ starts with illegal byte
+
+Problem:    Illegal memory access when pattern starts with illegal byte.
+Solution:   Do not match a character with an illegal byte.
+---
+ src/regexp.c                     |  6 +++++-
+ src/testdir/test_regexp_utf8.vim | 15 +++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 1a5cfd0..bec0464 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -1641,7 +1641,11 @@ cstrchr(char_u *s, int c)
+ 	{
+ 	    if (enc_utf8 && c > 0x80)
+ 	    {
+-		if (utf_fold(utf_ptr2char(p)) == cc)
++		int uc = utf_ptr2char(p);
++
++		// Do not match an illegal byte.  E.g. 0xff matches 0xc3 0xbf,
++		// not 0xff.
++		if ((uc < 0x80 || uc != *p) && utf_fold(uc) == cc)
+ 		    return p;
+ 	    }
+ 	    else if (*p == c || *p == cc)
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index d88e263..e7672dd 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -1,5 +1,7 @@
+ " Tests for regexp in utf8 encoding
+ 
++source shared.vim
++
+ func s:equivalence_test()
+   let str = "AÀÁÂÃÄÅĀĂĄǍǞǠǺȂȦȺḀẠẢẤẦẨẪẬẮẰẲẴẶ BƁɃḂḄḆ CÇĆĈĊČƇȻḈꞒ DĎĐƊḊḌḎḐḒ EÈÉÊËĒĔĖĘĚȄȆȨɆḔḖḘḚḜẸẺẼẾỀỂỄỆ FƑḞꞘ GĜĞĠĢƓǤǦǴḠꞠ HĤĦȞḢḤḦḨḪⱧ IÌÍÎÏĨĪĬĮİƗǏȈȊḬḮỈỊ JĴɈ KĶƘǨḰḲḴⱩꝀ LĹĻĽĿŁȽḶḸḺḼⱠ MḾṀṂ NÑŃŅŇǸṄṆṈṊꞤ OÒÓÔÕÖØŌŎŐƟƠǑǪǬǾȌȎȪȬȮȰṌṎṐṒỌỎỐỒỔỖỘỚỜỞỠỢ PƤṔṖⱣ QɊ RŔŖŘȐȒɌṘṚṜṞⱤꞦ SŚŜŞŠȘṠṢṤṦṨⱾꞨ TŢŤŦƬƮȚȾṪṬṮṰ UÙÚÛÜŨŪŬŮŰƯǕǙǛǓǗȔȖɄṲṴṶṸṺỤỦỨỪỬỮỰ  VƲṼṾ WŴẀẂẄẆẈ XẊẌ YÝŶŸƳȲɎẎỲỴỶỸ ZŹŻŽƵẐẒẔⱫ aàáâãäåāăąǎǟǡǻȃȧᶏḁẚạảấầẩẫậắằẳẵặⱥ bƀɓᵬᶀḃḅḇ cçćĉċčƈȼḉꞓꞔ dďđɗᵭᶁᶑḋḍḏḑḓ eèéêëēĕėęěȅȇȩɇᶒḕḗḙḛḝẹẻẽếềểễệ fƒᵮᶂḟꞙ gĝğġģǥǧǵɠᶃḡꞡ hĥħȟḣḥḧḩḫẖⱨꞕ iìíîïĩīĭįǐȉȋɨᶖḭḯỉị jĵǰɉ kķƙǩᶄḱḳḵⱪꝁ lĺļľŀłƚḷḹḻḽⱡ mᵯḿṁṃ nñńņňŉǹᵰᶇṅṇṉṋꞥ oòóôõöøōŏőơǒǫǭǿȍȏȫȭȯȱɵṍṏṑṓọỏốồổỗộớờởỡợ pƥᵱᵽᶈṕṗ qɋʠ rŕŗřȑȓɍɽᵲᵳᶉṛṝṟꞧ sśŝşšșȿᵴᶊṡṣṥṧṩꞩ tţťŧƫƭțʈᵵṫṭṯṱẗⱦ uùúûüũūŭůűųǚǖưǔǘǜȕȗʉᵾᶙṳṵṷṹṻụủứừửữự vʋᶌṽṿ wŵẁẃẅẇẉẘ xẋẍ yýÿŷƴȳɏẏẙỳỵỷỹ zźżžƶᵶᶎẑẓẕⱬ"
+   let groups = split(str)
+@@ -560,6 +562,19 @@ func Test_match_invalid_byte()
+   call delete('Xinvalid')
+ endfunc
+ 
++func Test_match_illegal_byte()
++  let lines =<< trim END
++      silent! buffer ÿ\c
++      next ÿ
++      0scriptnames
++      source
++  END
++  call writefile(lines, 'Xregexp')
++  call system(GetVimCommand() .. ' -X -Z -e -s -S Xregexp -c qa!')
++
++  call delete('Xregexp')
++endfunc
++
+ func Test_match_too_complicated()
+   set regexpengine=1
+   exe "noswapfile vsplit \xeb\xdb\x99"
+-- 
+1.8.3.1
+
diff --git a/vim.spec b/vim.spec
index b95e79d..a269076 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        4
+Release:        5
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -44,6 +44,8 @@ Patch6013:      backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-co.pa
 Patch6014:      backport-CVE-2022-2522.patch
 Patch6015:      backport-CVE-2022-2598.patch
 Patch6016:      backport-CVE-2022-2571.patch
+Patch6017:      backport-CVE-2022-2580.patch
+Patch6018:      backport-CVE-2022-2581.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -437,6 +439,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Wed Aug 17 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-5
+- Type:bugfix
+- ID:CVE-2022-2580 CVE-2022-2581
+- SUG:NA
+- DESC:fix CVE-2022-2580 CVE-2022-2581
+
 * Wed Aug 10 2022 shixuantong <shixuantong@h-partners.com> - 2:9.0-4
 - Type:bugfix
 - ID:NA
-- 
Gitee