From d19cf3ca81ba2ae35d9ce83e09d34f0c92ae3482 Mon Sep 17 00:00:00 2001
From: wjiang <app@cameyan.com>
Date: Fri, 30 Aug 2024 09:57:58 +0800
Subject: [PATCH] fix CVE-2024-43802

(cherry picked from commit 7e5489e767dd921386dc0d28890cb86d7e169482)
---
 backport-CVE-2024-43802.patch | 45 +++++++++++++++++++++++++++++++++++
 vim.spec                      |  9 ++++++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-43802.patch

diff --git a/backport-CVE-2024-43802.patch b/backport-CVE-2024-43802.patch
new file mode 100644
index 0000000..03e2056
--- /dev/null
+++ b/backport-CVE-2024-43802.patch
@@ -0,0 +1,45 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -437,9 +437,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
++	// remove mapped characters at the start only,
++	// but only when enough space left in typebuf
++	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
++	{
++	    typebuf.tb_off = MAXMAPLEN;
++	    typebuf.tb_len = 0;
++	}
++	else
++	{
++	    typebuf.tb_off += typebuf.tb_maplen;
++	    typebuf.tb_len -= typebuf.tb_maplen;
++	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;
diff --git a/vim.spec b/vim.spec
index b044c8a..adde530 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        26
+Release:        27
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -125,6 +125,7 @@ Patch6095:      backport-CVE-2024-41965.patch
 Patch6096:      backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.patch
 Patch6097:      backport-CVE-2024-41957.patch
 Patch6098:      backport-CVE-2024-43374.patch
+Patch6099:      backport-CVE-2024-43802.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -534,6 +535,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0-27
+- Type:CVE
+- ID:CVE-2024-43802
+- SUG:NA
+- DESC:fix CVE-2024-43802
+
 * Wed Aug 21 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0-26
 - Type:enhacement
 - ID:NA
-- 
Gitee