From b5cc6a5a1a526366507ac96f11e18a4c32470ca1 Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong@huawei.com>
Date: Sat, 23 Oct 2021 09:47:15 +0800
Subject: [PATCH] fix CVE-2021-3872 CVE-2021-3875

---
 backport-CVE-2021-3872.patch | 70 ++++++++++++++++++++++++++++++++++++
 backport-CVE-2021-3875.patch | 54 ++++++++++++++++++++++++++++
 vim.spec                     | 10 +++++-
 3 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-3872.patch
 create mode 100644 backport-CVE-2021-3875.patch

diff --git a/backport-CVE-2021-3872.patch b/backport-CVE-2021-3872.patch
new file mode 100644
index 0000000..32769f0
--- /dev/null
+++ b/backport-CVE-2021-3872.patch
@@ -0,0 +1,70 @@
+From 826bfe4bbd7594188e3d74d2539d9707b1c6a14b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Oct 2021 18:39:28 +0100
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+
+Problem:    Illegal memory access if buffer name is very long.
+Solution:   Make sure not to go over the end of the buffer.
+---
+ src/drawscreen.c                | 10 +++++-----
+ src/testdir/test_statusline.vim | 10 ++++++++++
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 3a88ee9..9acb705 100644
+--- a/src/drawscreen.c
++++ b/src/drawscreen.c
+@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index 1f705b8..febb5d6 100644
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -393,3 +393,13 @@ func Test_statusline_visual()
+   bwipe! x1
+   bwipe! x2
+ endfunc
++
++" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
++func Test_statusline_verylong_filename()
++  let fname = repeat('x', 4090)
++  exe "new " .. fname
++  set buftype=help
++  set previewwindow
++  redraw
++  bwipe!
++endfunc
+-- 
+2.27.0
+
diff --git a/backport-CVE-2021-3875.patch b/backport-CVE-2021-3875.patch
new file mode 100644
index 0000000..ac92390
--- /dev/null
+++ b/backport-CVE-2021-3875.patch
@@ -0,0 +1,54 @@
+From 35a319b77f897744eec1155b736e9372c9c5575f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 9 Oct 2021 13:58:55 +0100
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+---
+ src/ex_docmd.c              |  6 ++++--
+ src/testdir/test_search.vim | 14 ++++++++++++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 76daf43..12554fa 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+ 		    // When '/' or '?' follows another address, start from
+ 		    // there.
+-		    if (lnum != MAXLNUM)
+-			curwin->w_cursor.lnum = lnum;
++		    if (lnum > 0 && lnum != MAXLNUM)
++			curwin->w_cursor.lnum =
++				lnum > curbuf->b_ml.ml_line_count
++					   ? curbuf->b_ml.ml_line_count : lnum;
+ 
+ 		    // Start a forward search at the end of the line (unless
+ 		    // before the first line).
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 1876713..ac0881c 100644
+--- a/src/testdir/test_search.vim
++++ b/src/testdir/test_search.vim
+@@ -1366,3 +1366,17 @@ func Test_searchdecl()
+ 
+   bwipe!
+ endfunc
++
++func Test_search_with_invalid_range()
++  new
++  let lines =<< trim END
++    /\%.v
++    5/
++    c
++  END
++  call writefile(lines, 'Xrangesearch')
++  source Xrangesearch
++
++  bwipe!
++  call delete('Xrangesearch')
++endfunc
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index ae368fa..34cc467 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        11
+Release:        12
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -40,6 +40,8 @@ Patch6002:      backport-CVE-2021-3770.patch
 Patch6003:      backport-memory-leak-for-retab-with-invalid-argument.patch
 Patch6004:      backport-CVE-2021-3778.patch
 Patch6005:      backport-CVE-2021-3796.patch
+Patch6006:      backport-CVE-2021-3872.patch
+Patch6007:      backport-CVE-2021-3875.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -428,6 +430,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sat Oct 23 2021 shixuantong<shixuantong@huawei> - 2:8.2-12
+- Type:CVE
+- ID:CVE-2021-3872 CVE-2021-3875
+- SUG:NA
+- DESC:fix CVE-2021-3872 CVE-2021-3875
+
 * Sun Sep 26 2021 shixuantong<shixuantong@huawei> - 2:8.2-11
 - Type:CVE
 - ID:CVE-2021-3778 CVE-2021-3796
-- 
Gitee