!417 [sync] PR-411: fix CVE-2022-3352

From: @openeuler-sync-bot 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6

backport-CVE-2022-3352.patch

@@ -0,0 +1,77 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  6 +++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 11 +++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index f66c234..b647d82 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -465,8 +465,12 @@ can_unload_buffer(buf_T *buf)
+ 	    }
+     }
+     if (!can_unload)
++    {
++	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
++
+ 	semsg(_("E937: Attempt to delete a buffer that is in use: %s"),
+-								 buf->b_fname);
++				fname != NULL ? fname : (char_u *)"[No Name]");
++    }
+     return can_unload;
+ }
+ 
+diff --git a/src/spell.c b/src/spell.c
+index 1d7a1ae..e32dbe7 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1539,6 +1539,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
++    // Disallow deleting the current buffer.  Autocommands can do weird things
++    // and cause "lang" to be freed.
++    ++curbuf->b_locked;
++
+     // We may retry when no spell file is found for the language, an
+     // autocommand may load it then.
+     for (round = 1; round <= 2; ++round)
+@@ -1592,6 +1596,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
++
++    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 27ec80d..e7ffc37 100755
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -2343,3 +2343,14 @@ func Test_BufWrite_lockmarks()
+   call delete('Xtest')
+   call delete('Xtest2')
+ endfunc
++
++" this was wiping out the current buffer and using freed memory
++func Test_SpellFileMissing_bwipe()
++  next 0
++  au SpellFileMissing 0 bwipe
++  call assert_fails('set spell spelllang=0', 'E937:')
++
++  au! SpellFileMissing
++  bwipe
++endfunc
++
+-- 
+2.27.0
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        67
+Release:        68
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -188,6 +188,7 @@ Patch6146:      backport-CVE-2022-3134.patch
 Patch6147:      backport-CVE-2022-3234.patch
 Patch6148:      backport-CVE-2022-3235.patch
 Patch6149:      backport-CVE-2022-3256.patch
+Patch6150:      backport-CVE-2022-3352.patch
 
 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@@ -481,6 +482,7 @@ popd
 %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :
 
 %check
+export TERM=linux
 LC_ALL=en_US.UTF-8 make -j1 test
 
 %files common
@@ -576,6 +578,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Oct 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-68
+- Type:CVE
+- ID:CVE-2022-3352
+- SUG:NA
+- DESC:fix CVE-2022-3352
+
 * Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-67
 - Type:CVE
 - ID:CVE-2022-3256