From c6474518bf6f2871c54426399b1238df2f31a2ad Mon Sep 17 00:00:00 2001
From: wjiang <app@cameyan.com>
Date: Wed, 22 Jan 2025 15:17:56 +0800
Subject: [PATCH] fix CVE-2025-22134 CVE-2025-24014

(cherry picked from commit 00c355a17760a5d54b06d270a862e6d25447ea61)
---
 backport-CVE-2025-22134.patch                 | 126 ++++++++++++++++++
 backport-CVE-2025-24014.patch                 |  42 ++++++
 ...9.1.0038-Unnecessary-loop-in-getvcol.patch |  93 +++++++++++++
 vim.spec                                      |  11 +-
 4 files changed, 271 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-22134.patch
 create mode 100644 backport-CVE-2025-24014.patch
 create mode 100644 backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch

diff --git a/backport-CVE-2025-22134.patch b/backport-CVE-2025-22134.patch
new file mode 100644
index 0000000..0a3c9b5
--- /dev/null
+++ b/backport-CVE-2025-22134.patch
@@ -0,0 +1,126 @@
+From c9a1e257f1630a0866447e53a564f7ff96a80ead Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sat, 11 Jan 2025 15:25:00 +0100
+Subject: [PATCH] patch 9.1.1003: [security]: heap-buffer-overflow with visual
+ mode
+
+Problem:  [security]: heap-buffer-overflow with visual mode when
+          using :all, causing Vim trying to access beyond end-of-line
+          (gandalf)
+Solution: Reset visual mode on :all, validate position in gchar_pos()
+          and charwise_block_prep()
+
+This fixes CVE-2025-22134
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
+
+Co-authored-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/arglist.c               |  4 ++++
+ src/misc1.c                 |  4 ++++
+ src/testdir/test_visual.vim | 26 ++++++++++++++++++++++----
+ 3 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index 8825c8e252ccc5..4eec079df438a3 100644
+--- a/src/arglist.c
++++ b/src/arglist.c
+@@ -979,6 +979,10 @@ do_arg_all(
+     need_mouse_correct = TRUE;
+ #endif
+ 
++    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
++    // switching to another buffer.
++    reset_VIsual_and_resel();
++
+     // Try closing all windows that are not in the argument list.
+     // Also close windows that are not full width;
+     // When 'hidden' or "forceit" set the buffer becomes hidden.
+diff --git a/src/misc1.c b/src/misc1.c
+index 90cf914742b115..142a6161ea6c8a 100644
+--- a/src/misc1.c
++++ b/src/misc1.c
+@@ -514,11 +514,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last)
+ gchar_pos(pos_T *pos)
+ {
+     char_u	*ptr;
++    int		ptrlen;
+ 
+     // When searching columns is sometimes put at the end of a line.
+     if (pos->col == MAXCOL)
+ 	return NUL;
++    ptrlen = STRLEN(ml_get(pos->lnum));
+     ptr = ml_get_pos(pos);
++    if (pos->col > ptrlen)
++	return NUL;
+     if (has_mbyte)
+ 	return (*mb_ptr2char)(ptr);
+     return (int)*ptr;
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0be73ecc1342b9..03335a464d62f3 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -469,7 +469,7 @@ func Test_Visual_Block()
+ 	      \ "\t{",
+ 	      \ "\t}"], getline(1, '$'))
+ 
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for 'p'ut in visual block mode
+@@ -1079,7 +1079,7 @@ func Test_star_register()
+ 
+   delmarks < >
+   call assert_fails('*yank', 'E20:')
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for changing text in visual mode with 'exclusive' selection
+@@ -1095,7 +1095,7 @@ func Test_exclusive_selection()
+   call assert_equal('l      one', getline(1))
+   set virtualedit&
+   set selection&
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for starting linewise visual with a count.
+@@ -1152,7 +1152,7 @@ func Test_visual_inner_block()
+   8,9d
+   call cursor(5, 1)
+   call assert_beeps('normal ViBiB')
+-  close!
++  bw!
+ endfunc
+ 
+ func Test_visual_put_in_block()
+@@ -1513,4 +1513,22 @@ func Test_heap_buffer_overflow()
+   set updatecount&
+ endfunc
+ 
++" the following caused a Heap-Overflow, because Vim was accessing outside of a
++" line end
++func Test_visual_pos_buffer_heap_overflow()
++  set virtualedit=all
++  args Xa Xb
++  all
++  call setline(1, ['', '', ''])
++  call cursor(3, 1)
++  wincmd w
++  call setline(1, 'foobar')
++  normal! $lv0
++  all
++  call setreg('"', 'baz')
++  normal! [P
++  set virtualedit=
++  bw! Xa Xb
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.43.0
+
diff --git a/backport-CVE-2025-24014.patch b/backport-CVE-2025-24014.patch
new file mode 100644
index 0000000..76664f7
--- /dev/null
+++ b/backport-CVE-2025-24014.patch
@@ -0,0 +1,42 @@
+From 9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 20 Jan 2025 22:55:57 +0100
+Subject: [PATCH] patch 9.1.1043: [security]: segfault in win_line()
+
+Problem:  [security]: segfault in win_line()
+          (fizz-is-on-the-way)
+Solution: Check that ScreenLines is not NULL
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/gui.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/gui.c b/src/gui.c
+index 8e7b079a5a4ea4..86c40de632aa1e 100644
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -4510,13 +4510,15 @@ gui_do_scroll(void)
+     /*
+      * Don't call updateWindow() when nothing has changed (it will overwrite
+      * the status line!).
++     *
++     * Check for ScreenLines, because in ex-mode, we don't have a valid display.
+      */
+-    if (old_topline != wp->w_topline
++    if (ScreenLines != NULL && (old_topline != wp->w_topline
+ 	    || wp->w_redr_type != 0
+ #ifdef FEAT_DIFF
+ 	    || old_topfill != wp->w_topfill
+ #endif
+-	    )
++	    ))
+     {
+ 	int type = VALID;
+ 
+-- 
+2.43.0
+
diff --git a/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch b/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
new file mode 100644
index 0000000..983b76e
--- /dev/null
+++ b/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
@@ -0,0 +1,93 @@
+From 4ea37f88e8345ca830271636a2e197a1a46114d2 Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Wed, 17 Jan 2024 20:52:13 +0100
+Subject: [PATCH] patch 9.1.0038: Unnecessary loop in getvcol()
+
+Problem:  Unnecessary loop in getvcol().
+Solution: Compare next char position with pos->col directly.
+          (zeertzjq)
+
+The loop below already handles end of line before checking for posptr,
+and the next char is after pos->col whether pos->col is at the start or
+in the middle of the char in question, so neither the NUL check nor the
+mb_head_off() are needed when comparing the position of the next char
+with pos->col directly.
+
+closes: #13878
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/charset.c | 29 ++++++-----------------------
+ 1 file changed, 6 insertions(+), 23 deletions(-)
+
+diff --git a/src/charset.c b/src/charset.c
+index 3ea2ecb8e216c2..eef2e8983c280e 100644
+--- a/src/charset.c
++++ b/src/charset.c
+@@ -1178,7 +1178,6 @@ getvcol(
+ {
+     colnr_T	vcol;
+     char_u	*ptr;		// points to current char
+-    char_u	*posptr;	// points to char at pos->col
+     char_u	*line;		// start of the line
+     int		incr;
+     int		head;
+@@ -1190,24 +1189,6 @@ getvcol(
+ 
+     vcol = 0;
+     line = ptr = ml_get_buf(wp->w_buffer, pos->lnum, FALSE);
+-    if (pos->col == MAXCOL)
+-	posptr = NULL;  // continue until the NUL
+-    else
+-    {
+-	colnr_T i;
+-
+-	// In a few cases the position can be beyond the end of the line.
+-	for (i = 0; i < pos->col; ++i)
+-	    if (ptr[i] == NUL)
+-	    {
+-		pos->col = i;
+-		break;
+-	    }
+-	posptr = ptr + pos->col;
+-	if (has_mbyte)
+-	    // always start on the first byte
+-	    posptr -= (*mb_head_off)(line, posptr);
+-    }
+ 
+     /*
+      * This function is used very often, do some speed optimizations.
+@@ -1263,11 +1244,12 @@ getvcol(
+ 		    incr = g_chartab[c] & CT_CELL_MASK;
+ 	    }
+ 
+-	    if (posptr != NULL && ptr >= posptr) // character at pos->col
++	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
++	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    vcol += incr;
+-	    MB_PTR_ADV(ptr);
++	    ptr = next_ptr;
+ 	}
+     }
+     else
+@@ -1284,11 +1266,12 @@ getvcol(
+ 		break;
+ 	    }
+ 
+-	    if (posptr != NULL && ptr >= posptr) // character at pos->col
++	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
++	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    vcol += incr;
+-	    MB_PTR_ADV(ptr);
++	    ptr = next_ptr;
+ 	}
+     }
+     if (start != NULL)
+-- 
+2.43.0
+
diff --git a/vim.spec b/vim.spec
index 67777db..9069844 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        30
+Release:        31
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -128,6 +128,9 @@ Patch6098:      backport-CVE-2024-43374.patch
 Patch6099:      backport-CVE-2024-43802.patch
 Patch6100:      backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
 Patch6101:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
+Patch6102:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+Patch6103:      backport-CVE-2025-22134.patch
+Patch6104:      backport-CVE-2025-24014.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@@ -539,6 +542,12 @@ LANG=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0-31
+- Type:CVE
+- ID:CVE-2025-22134 CVE-2025-24014
+- SUG:NA
+- DESC:CVE-2025-22134 CVE-2025-24014
+
 * Fri Dec 13 2024 wangjiang <app@cameyan.com> - 2:9.0-30
 - Type:bugfix
 - ID:NA
-- 
Gitee