From 383c3218bff97fa5fdbb4fac8b8fd23bef73b8d4 Mon Sep 17 00:00:00 2001
From: wangjiang <wangjiang37@h-partners.com>
Date: Sun, 29 Jan 2023 14:22:04 +0800
Subject: [PATCH] fix CVE-2022-47024 CVE-2023-0288

---
 backport-CVE-2022-47024.patch | 34 +++++++++++++++++++++++++++
 backport-CVE-2023-0288.patch  | 44 +++++++++++++++++++++++++++++++++++
 vim.spec                      | 10 +++++++-
 3 files changed, 87 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-47024.patch
 create mode 100644 backport-CVE-2023-0288.patch

diff --git a/backport-CVE-2022-47024.patch b/backport-CVE-2022-47024.patch
new file mode 100644
index 0000000..531031b
--- /dev/null
+++ b/backport-CVE-2022-47024.patch
@@ -0,0 +1,34 @@
+From a63ad78ed31e36dbdf3a9cd28071dcdbefce7d19 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 31 Aug 2022 12:01:54 +0100
+Subject: [PATCH] patch 9.0.0339: no check if the return value of XChangeGC()
+ is NULL
+
+Problem:    No check if the return value of XChangeGC() is NULL.
+Solution:   Only use the return value when it is not NULL. (closes #11020)
+---
+ src/gui_x11.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui_x11.c b/src/gui_x11.c
+index 6e3e903be462..7293ac4900a6 100644
+--- a/src/gui_x11.c
++++ b/src/gui_x11.c
+@@ -2231,10 +2231,14 @@ gui_x11_create_blank_mouse(void)
+ {
+     Pixmap blank_pixmap = XCreatePixmap(gui.dpy, gui.wid, 1, 1, 1);
+     GC gc = XCreateGC(gui.dpy, blank_pixmap, (unsigned long)0, (XGCValues*)0);
+-    XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
+-    XFreeGC(gui.dpy, gc);
++
++    if (gc != NULL)
++    {
++	XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
++	XFreeGC(gui.dpy, gc);
++    }
+     return XCreatePixmapCursor(gui.dpy, blank_pixmap, blank_pixmap,
+-	    (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
++		     (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
+ }
+ 
+ /*
diff --git a/backport-CVE-2023-0288.patch b/backport-CVE-2023-0288.patch
new file mode 100644
index 0000000..d5fcb07
--- /dev/null
+++ b/backport-CVE-2023-0288.patch
@@ -0,0 +1,44 @@
+From 232bdaaca98c34a99ffadf27bf6ee08be6cc8f6a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 13 Jan 2023 14:17:58 +0000
+Subject: [PATCH] patch 9.0.1189: invalid memory access with folding and using
+ "L"
+
+Problem:    Invalid memory access with folding and using "L".
+Solution:   Prevent the cursor from moving to line zero.
+---
+ src/normal.c              | 3 ++-
+ src/testdir/test_fold.vim | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c319be599ad7..3d9f74dec558 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -3757,7 +3757,8 @@ nv_scroll(cmdarg_T *cap)
+ 		{
+ 		    (void)hasFolding(curwin->w_cursor.lnum,
+ 						&curwin->w_cursor.lnum, NULL);
+-		    --curwin->w_cursor.lnum;
++		    if (curwin->w_cursor.lnum > curwin->w_topline)
++			--curwin->w_cursor.lnum;
+ 		}
+ 	    }
+ 	    else
+diff --git a/src/testdir/test_fold.vim b/src/testdir/test_fold.vim
+index adf9e5207838..f915a661336b 100644
+--- a/src/testdir/test_fold.vim
++++ b/src/testdir/test_fold.vim
+@@ -1547,4 +1547,12 @@ func Test_sort_closed_fold()
+   bw!
+ endfunc
+ 
++func Test_indent_with_L_command()
++  " The "L" command moved the cursor to line zero, causing the text saved for
++  " undo to use line number -1, which caused trouble for undo later.
++  new
++  sil! norm 8R
V{zf8=Lu
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/vim.spec b/vim.spec
index a96522c..a1cadf1 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        25
+Release:        26
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -85,6 +85,8 @@ Patch6054:      backport-CVE-2022-4293.patch
 Patch6055:      backport-CVE-2023-0049.patch
 Patch6056:      backport-CVE-2023-0051.patch
 Patch6057:      backport-CVE-2023-0054.patch
+Patch6058:      backport-CVE-2022-47024.patch
+Patch6059:      backport-CVE-2023-0288.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -492,6 +494,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Sun Jan 29 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-26
+- Type:CVE
+- ID:CVE-2022-47024 CVE-2023-0288
+- SUG:NA
+- DESC:CVE-2022-47024 CVE-2023-0288
+
 * Mon Jan 09 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-25
 - Type:CVE
 - ID:CVE-2023-0049 CVE-2023-0051 CVE-2023-0054
-- 
Gitee