From 752d2b2eff0db2e711bc91b779b5759ddc0a4600 Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Tue, 29 Nov 2022 11:43:34 +0800
Subject: [PATCH] fix CVE-2022-4141

---
 backport-CVE-2022-4141.patch | 145 +++++++++++++++++++++++++++++++++++
 vim.spec                     |   9 ++-
 2 files changed, 153 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-4141.patch

diff --git a/backport-CVE-2022-4141.patch b/backport-CVE-2022-4141.patch
new file mode 100644
index 0000000..fb6437a
--- /dev/null
+++ b/backport-CVE-2022-4141.patch
@@ -0,0 +1,145 @@
+From cc762a48d42b579fb7bdec2c614636b830342dd5 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 25 Nov 2022 13:03:31 +0000
+Subject: [PATCH] patch 9.0.0947: invalid memory access in substitute with
+ function
+
+Problem:    Invalid memory access in substitute with function that goes to
+            another file.
+Solution:   Check for text locked in CTRL-W gf.
+---
+ src/normal.c                    | 33 ++++++++++++++++++++++++---------
+ src/proto/normal.pro            |  1 +
+ src/testdir/test_substitute.vim | 19 +++++++++++++++++++
+ src/window.c                    |  4 +++-
+ 4 files changed, 47 insertions(+), 10 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index 938ae718efa2..0d1eba759e69 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -192,13 +192,33 @@ check_text_locked(oparg_T *oap)
+ {
+     if (text_locked())
+     {
+-	clearopbeep(oap);
++	if (oap != NULL)
++	    clearopbeep(oap);
+ 	text_locked_msg();
+ 	return TRUE;
+     }
+     return FALSE;
+ }
+ 
++/*
++ * If text is locked, "curbuf_lock" or "allbuf_lock" is set:
++ * Give an error message, possibly beep and return TRUE.
++ * "oap" may be NULL.
++ */
++    int
++check_text_or_curbuf_locked(oparg_T *oap)
++{
++    if (check_text_locked(oap))
++	return TRUE;
++    if (curbuf_locked())
++    {
++	if (oap != NULL)
++	    clearop(oap);
++	return TRUE;
++    }
++    return FALSE;
++}
++
+ /*
+  * Handle the count before a normal command and set cap->count0.
+  */
+@@ -816,8 +836,7 @@ normal_cmd(
+ 	goto normal_end;
+     }
+ 
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW)
+-				&& (check_text_locked(oap) || curbuf_locked()))
++    if ((nv_cmds[idx].cmd_flags & NV_NCW) && check_text_or_curbuf_locked(oap))	    
+ 	// this command is not allowed now
+ 	goto normal_end;
+ 
+@@ -4058,13 +4077,9 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (check_text_locked(cap->oap))
+-	return;
+-    if (curbuf_locked())
+-    {
+-	clearop(cap->oap);
++    if (check_text_or_curbuf_locked(cap->oap))	
+ 	return;
+-    }
++
+ #ifdef FEAT_PROP_POPUP
+     if (ERROR_IF_TERM_POPUP_WINDOW)
+ 	return;
+diff --git a/src/proto/normal.pro b/src/proto/normal.pro
+index 106d0e1..eff08df 100644
+--- a/src/proto/normal.pro
++++ b/src/proto/normal.pro
+@@ -1,4 +1,5 @@
+ /* normal.c */
++int check_text_or_curbuf_locked(oparg_T *oap);
+ void normal_cmd(oparg_T *oap, int toplevel);
+ void check_visual_highlight(void);
+ void end_visual_mode(void);
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 7e7ccff..73c8c57 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -1076,6 +1076,25 @@ func Test_sub_edit_scriptfile()
+   bwipe!
+ endfunc
+ 
++" This was editing another file from the expression.
++func Test_sub_expr_goto_other_file()
++  call writefile([''], 'Xfileone', 'D')
++  enew!
++  call setline(1, ['a', 'b', 'c', 'd',
++	\ 'Xfileone zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'])
++
++  func g:SplitGotoFile()
++    exe "sil! norm 0\<C-W>gf"
++    return ''
++  endfunc
++
++  $
++  s/\%')/\=g:SplitGotoFile()
++
++  delfunc g:SplitGotoFile
++  bwipe!
++endfunc
++
+ " Test for the 2-letter and 3-letter :substitute commands
+ func Test_substitute_short_cmd()
+   new
+diff --git a/src/window.c b/src/window.c
+index 97cc77035f95..a2bebcaea4df 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -534,6 +534,8 @@ do_window(
+     case Ctrl_F:
+ wingotofile:
+ 		CHECK_CMDWIN;
++		if (check_text_or_curbuf_locked(NULL))
++		    break;
+ 
+ 		ptr = grab_file_name(Prenum1, &lnum);
+ 		if (ptr != NULL)
+@@ -857,7 +859,7 @@ win_split(int size, int flags)
+  * When "new_wp" is NULL: split the current window in two.
+  * When "new_wp" is not NULL: insert this window at the far
+  * top/left/right/bottom.
+- * return FAIL for failure, OK otherwise
++ * Return FAIL for failure, OK otherwise.
+  */
+     int
+ win_split_ins(
+-- 
+2.33.0
diff --git a/vim.spec b/vim.spec
index d0bc0b9..f5abbfb 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        20
+Release:        21
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -74,6 +74,7 @@ Patch6043:      backport-CVE-2022-3297.patch
 Patch6044:      backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
 Patch6045:      backport-CVE-2022-3324.patch
 Patch6046:      backport-CVE-2022-3705.patch
+Patch6047:      backport-CVE-2022-4141.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -473,6 +474,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Nov 29 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-21
+- Type:CVE
+- ID:CVE-2022-4141
+- SUG:NA
+- DESC:fix CVE-2022-4141
+
 * Tue Nov 01 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-20
 - Type:CVE
 - ID:CVE-2022-3705
-- 
Gitee