From e7728b3e45c1ba4e2edb3fe637b5570f1d0cda46 Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Tue, 6 Dec 2022 14:53:20 +0800
Subject: [PATCH] fix CVE-2022-3491 CVE-2022-3520 CVE-2022-3591

(cherry picked from commit adabc3a52e934bb35c90269c448d52eba13c41ce)
---
 backport-CVE-2022-3491.patch                  | Bin 0 -> 7037 bytes
 backport-CVE-2022-3520.patch                  |  52 +++++++++++++++
 backport-CVE-2022-3591.patch                  |  62 ++++++++++++++++++
 ...est-for-dummy-buffer-does-not-always.patch |  29 ++++++++
 vim.spec                                      |  12 +++-
 5 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-3491.patch
 create mode 100644 backport-CVE-2022-3520.patch
 create mode 100644 backport-CVE-2022-3591.patch
 create mode 100644 backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch

diff --git a/backport-CVE-2022-3491.patch b/backport-CVE-2022-3491.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dc7552b296bbc3f478d301e08ba62d3a81a89ac2
GIT binary patch
literal 7037
zcmd5>X>;4i5zSZOSM+jICMAIs4&JuBQe-JnMfSQxIjNM(g#y6=i3kK(04T|^{onI?
z1{WpDve&z*zz4`VdU{@WzwQ~HCGnE%UT^67V#I%puIEmt!|tGGkF43SH}b8S<$IQC
zbWM64M>G*DG6!TBWBHdX!!Wfoh#Avg5_gF)aVR3!P3Q%GKe`E)oj94l)Lyxn7}M2a
zt&?ffuU>|!mPKZNY+B>qfc6d3Fto{f`fuT7V|xGg`0C_uA86%f-hxIQqhk!Z)|e9E
z&Vp!;_B10A%_#OMTL=n+NYL#<MC8TGRe-N^ay9bTk(UK=q-k%Hcp3_*iRbcrgp@Mq
zHpmtl&o3U4Byo~<v`HMUc@-A^DyAsTpl7yDB61@Nq8m31X0(cfC=*GC=q$LS^g39r
zSjj}pf&^Q}^p4hUw>3%=?;sOthIaXOfZ@pDopkUCOME5^cx^n7%}Tu_SY>kFXX^Ft
z&8mwiR_4XL<t*)Z#V%{_&(ycJ$bj0lN9iKvNK=T1qOb$Il7qP#b;%Dxk&?G?qq&%|
zmvn($DiVe!ZSC*sWZN_op->I&T}_(>zEAD;JjlpBcmlWS69cp$nu$BIhl74!*tTKz
z`kl^n+UwiBzSZvzy95XAce`w)Cs)$|Ej_v7(Gj(~mO0S-v@hS-Alhcarz<#svs{N+
zunL7Vej@zVF1z2&sB^Lq-t|P<cCz+7k)|yUfE4|R3C!0>+b_lB9_UC{gN%L1K!C~_
zbok;0WeNQ1^vx^o;YZGlBcaBsw!kN|=;sy|Mu#tt{$xC8tw|!*C-93QxpLJqDp&>g
z=d(6<cjgA+IuUAjIyF!2UU%G-TYx8UOwfFM1y!|umhm&VAV}%fO*e^x8R8yU@bD)P
z$Zq3%2t3^D{|N$6RogGn)u;iY739ZZ7~e9<Ea4%Dt@Vo1k5T5{(IS{HLj22gx)z}H
zNWdX-lsX#0*b6spHCG?AMI6}xyzmNk%e>Wr@s@5h14iEvhcza8EH0`cc`UldbZGZ1
z-}VPqr_=X_zUdpDFs8=0#9~d{*P^jDjN{QVO-nbyl=4Hr&jFbOOIj70lE1~Qj49yr
zNKCakTJo5x+)0L55s+#G{s-=cmQUbDIRH@>zBfJ;F;s6S*}*OOqb6`D6)kxH=3k4Q
zsIO3>2tYLCvo-_p9=#xFYH=r5Q<3*XC>1-!eD%nkmfxzKsvVUb(6?d_kcqd5sVVM+
zx6Z_@SwXU0-0w(4e-sYVY3PvNH=8vJV>=JXHh~}ff#`&(WZ}X-l_PDpMZq;{e9e(C
zd@GaxIDkm}G>ehy4=Zps!l=~rQBdb&7Erm(@8Nfk$^73s-!_i&<HQN$c(sk7Yh|9I
z<EkMi-+}FqdQ+=E^F^=I5j}V64@W)GcLxv2w>G(=+FGL`R?F5=(}7s|!+?o3XP=x!
zQTip$n)aAWbP{)NGIy?MPq-_cJTJTBFZ`C-i0G3>I|!84<m&Rx$?LZ*4A-dv*c+%6
zcj@qu42<0Qq_ub0OL=IxNZT**pX07p@L<#tWfu!>zvNYz+Uci5n*9Czt@E$b2@7EX
zENJK80Ofmvvqu=aGnp~Hb&`lEWBLzV95L`ATnp6lJ5sx1i#*=prTG-$$Xb)t(W%tw
zc7dal4wdA*vbj<fTR|tQ^6gsW6L|CAtqJYqk3?T0dUkw%vCCUyE%GzYn|Bu%&(X$B
zUs%JPjSe(?K{=}Wq4-}#mP+6x#o**4fTOrW1&`C*YMl`x90yG<M$*jnu66zx;d7h_
z^i_faHK@Ry5oZ<VA`%G>o4`2D5-0n(5-m2aPUn+1&gJQ=^Go=MPR}w2{iu$1pR>|G
zs97!ox<610!hefS1!P<O78WRFp8Wde<oGJzqosDUbrKZW0O-NQtxKX1RPM@l=lMk(
zyi0|&QV{tu@45k(ZBQ2HreXuiP#`zU$MN|}!2?l@co-m(;)G^_mpzCWH%)_i<g6nQ
ze-*hZN;qnCy1IOK`Y>Q>3S-ChnE9<5*TRl>wW)QEYCXcfRr5T+7*wkKQITCO+_1uy
zkV30K(w4kd`htuSrkUIwBus5nr?caW$!Sd{mgYq_BDDx%_5K0jFz$xn!ms{u{@OXY
zI6c0s%o({$0hd)vZt0iiRzAI@H=hkCwsclgd8go@`i_w-XrJuoXyqQUOy@19B^=L<
zaDC(8ES;&Ww2Q@6`Wp0g+*~1j4Mw_U{80Lm3?B)cA0$1MR8-3bOR<~^MPE7;<cGJx
zwltK7<VM|QTOPS#fp$d~k{0hX;^gZ1@=DqP9#c<|D7I7rVjFF+%0`$;@88Uz$iMXr
z%B;a^mGY%|ARc7`6LFNfH$vs`atNp$mx)dmXKq+J$%YcSkVE1mBooudwpDuH;v1#o
zaKd6w$BUVQH7tYat4OJ_rK$>~8d_ClQI6R_j8~G}RCa$qAn^OIp@D8*WeXzg@|={Z
zh*K2~r7CscpFcd^%gV02+pE=&MO$7%PHkc01TWmK@H?G>J@wtb*LQtWJW@iI^Y2xW
zWjjZrnctYnw>jcKWQClW@Ip5cj=Ys^6~&~qv^ou^_oKX+;X0`ouY^;S61ZxV4Laq1
z!t9~#AMD}eu!q}Yd9};Qhsn3WV;Y2OCztabZh8|jM_v=SP>E@sq7<ynk~}O+oq2F0
z_<mTbD{pArxny(jkDPL#&M7E@vcN;$#JNSv$3`VN&0A<w8fyD+CAKxYLyHyS^0#@^
zq|cv~QqD&=x(1`oWpBY5yY%dtl)&|Fv%?o_g-7uAo-3gY8%ltiVm3liE|xpi8EQhb
zAd)l!L<ES=kkfG~M=B96xjgoRIWF=jMuEpUlzETu?s+dkgdO7gn=j@iw5p0~a9;zr
zQ4sh~E&<iOx);x*;6ErDRX+pI9jO3n$~{Iy-NZGuX`7}#WcQehjBP7{YbjrVLHQ|@
z++Gc|@_eBfk9*#mA0$LaO|D#afLiM(WsD76F|2@=kuPSlEdVa_Q$d6GF~v-VRmO8J
zxioVw2J<&kn8Lj+^Vc2^2Ky9qIIrzVj1M=o__;~HaHSEgWp=><QPsdSuIdlW<>!k+
z(?+(#uMMU>1gd5|>wztDFj2`h7+)NzWFWAC@wxbIrU<Kpc*S-;5SiDJTCr{Ml(ZwY
z=ZS~%_Yr9`zJ_Mm2!jN-m8y=(Rb+49D?4+SmzTqeTe<%}nB{Oryf^@Ecrxwq7^Oxz
x8pVQ@yM4`dl>VOpHXxAa#`uQgo{Pl%H>Soj97h|^!m)hK#|;_$jXyWE{{jGU?rZ=6

literal 0
HcmV?d00001

diff --git a/backport-CVE-2022-3520.patch b/backport-CVE-2022-3520.patch
new file mode 100644
index 0000000..09ebe55
--- /dev/null
+++ b/backport-CVE-2022-3520.patch
@@ -0,0 +1,52 @@
+From 36343ae0fb7247e060abfd35fb8e4337b33abb4b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 15 Oct 2022 19:04:05 +0100
+Subject: [PATCH] patch 9.0.0765: with a Visual block a put command column may
+ go negative
+
+Problem:    With a Visual block a put command column may go negative.
+Solution:   Check that the column does not become negative.
+---
+ src/register.c              |  2 ++
+ src/testdir/test_visual.vim | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/src/register.c b/src/register.c
+index 30e2001..41089a0 100644
+--- a/src/register.c
++++ b/src/register.c
+@@ -1945,6 +1945,8 @@ do_put(
+ 	// adjust '] mark
+ 	curbuf->b_op_end.lnum = curwin->w_cursor.lnum - 1;
+ 	curbuf->b_op_end.col = bd.textcol + totlen - 1;
++	if (curbuf->b_op_end.col < 0)
++	    curbuf->b_op_end.col = 0;
+ 	curbuf->b_op_end.coladd = 0;
+ 	if (flags & PUT_CURSEND)
+ 	{
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index e965266..956a3d7 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -483,6 +483,18 @@ func Test_visual_block_put()
+   bw!
+ endfunc
+ 
++func Test_visual_block_put_invalid()
++  enew!
++  behave mswin
++  norm yy
++  norm v)Ps/^/	
++  " this was causing the column to become negative
++  silent norm ggv)P
++
++  bwipe!
++  behave xterm
++endfunc
++
+ " Visual modes (v V CTRL-V) followed by an operator; count; repeating
+ func Test_visual_mode_op()
+   new
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-3591.patch b/backport-CVE-2022-3591.patch
new file mode 100644
index 0000000..a4d776c
--- /dev/null
+++ b/backport-CVE-2022-3591.patch
@@ -0,0 +1,62 @@
+From 8f3c3c6cd044e3b5bf08dbfa3b3f04bb3f711bad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 18 Oct 2022 17:05:54 +0100
+Subject: [PATCH] patch 9.0.0789: dummy buffer ends up in a window
+
+Problem:    Dummy buffer ends up in a window.
+Solution:   Disallow navigating to a dummy buffer.
+---
+ src/buffer.c                 |  7 +++++++
+ src/testdir/test_autocmd.vim | 20 ++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 0849b7099..5a4825feb 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1332,6 +1332,13 @@ do_buffer_ext(
+        )
+ 	return OK;
+ #endif
++    if ((action == DOBUF_GOTO || action == DOBUF_SPLIT)
++						  && (buf->b_flags & BF_DUMMY))
++    {
++	// disallow navigating to the dummy buffer
++	semsg(_(e_buffer_nr_does_not_exist), count);
++	return FAIL;
++    }
+ 
+ #ifdef FEAT_GUI
+     need_mouse_correct = TRUE;
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 0706e7307..6ba1b02df 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -3857,4 +3857,24 @@ func Test_autocmd_delete()
+   call assert_true(autocmd_delete([test_null_dict()]))
+ endfunc
+ 
++func Test_autocmd_split_dummy()
++  " Autocommand trying to split a window containing a dummy buffer.
++  auto BufReadPre * exe "sbuf " .. expand("<abuf>") 
++  " Avoid the "W11" prompt
++  au FileChangedShell * let v:fcs_choice = 'reload'
++  func Xautocmd_changelist()
++    cal writefile(['Xtestfile2:4:4'], 'Xerr')
++    edit Xerr
++    lex 'Xtestfile2:4:4'
++  endfunc
++  call Xautocmd_changelist()
++  call assert_fails('call Xautocmd_changelist()', 'E86:')
++
++  au! BufReadPre
++  au! FileChangedShell
++  delfunc Xautocmd_changelist
++  bwipe! Xerr
++  call delete('Xerr')
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
diff --git a/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch b/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch
new file mode 100644
index 0000000..db97778
--- /dev/null
+++ b/backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch
@@ -0,0 +1,29 @@
+From 53c5c9f50ca68d3ed559eebb2c5f7d23f39a768c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 18 Oct 2022 17:25:03 +0100
+Subject: [PATCH] patch 9.0.0790: test for dummy buffer does not always produce
+ the E86 error
+
+Problem:    Test for dummy buffer does not always produce the E86 error.
+Solution:   Do not check if the error is produced.
+---
+ src/testdir/test_autocmd.vim | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 6ba1b02df..04f3e1431 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -3868,7 +3868,8 @@ func Test_autocmd_split_dummy()
+     lex 'Xtestfile2:4:4'
+   endfunc
+   call Xautocmd_changelist()
+-  call assert_fails('call Xautocmd_changelist()', 'E86:')
++  " Should get E86, but it doesn't always happen (timing?)
++  silent! call Xautocmd_changelist()
+ 
+   au! BufReadPre
+   au! FileChangedShell
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index b13675d..e4c83d9 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        2
+Release:        3
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -74,6 +74,10 @@ Patch6044:      backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-
 Patch6045:      backport-CVE-2022-3324.patch
 Patch6046:      backport-CVE-2022-3705.patch
 Patch6047:      backport-CVE-2022-4141.patch
+Patch6048:      backport-CVE-2022-3491.patch
+Patch6049:      backport-CVE-2022-3520.patch
+Patch6050:      backport-CVE-2022-3591.patch
+Patch6051:      backport-patch-9.0.0790-test-for-dummy-buffer-does-not-always.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -473,6 +477,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Dec 06 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-3
+- Type:CVE
+- ID:CVE-2022-3491 CVE-2022-3520 CVE-2022-3591
+- SUG:NA
+- DESC:fix CVE-2022-3491 CVE-2022-3520 CVE-2022-3591
+
 * Tue Nov 29 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-2
 - Type:CVE
 - ID:CVE-2022-4141
-- 
Gitee