backport upstream patch to fix memory leak

backport-patch-9.0.0024-may-access-part-of-typeahead-buf-that-is-not-filled.patch

@@ -0,0 +1,26 @@
+From af043e12d9e5869c597de40b9a2517ae97ac72e7 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 2 Jul 2022 12:08:16 +0100
+Subject: [PATCH] patch 9.0.0024: may access part of typeahead buf that isn't
+ filled
+
+Problem:    May access part of typeahead buf that isn't filled.
+Solution:   Check length of typeahead.
+---
+ src/getchar.c | 3 ++-
+  files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 210a67acad59..12fd1c9146b3 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -2437,7 +2437,8 @@ handle_mapping(
+     int		is_plug_map = FALSE;
+ 
+     // If typehead starts with <Plug> then remap, even for a "noremap" mapping.
+-    if (typebuf.tb_buf[typebuf.tb_off] == K_SPECIAL
++    if (typebuf.tb_len >= 3
++	    && typebuf.tb_buf[typebuf.tb_off] == K_SPECIAL
+ 	    && typebuf.tb_buf[typebuf.tb_off + 1] == KS_EXTRA
+ 	    && typebuf.tb_buf[typebuf.tb_off + 2] == KE_PLUG)
+ 	is_plug_map = TRUE;

backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch

@@ -0,0 +1,57 @@
+From e1121b139480f53d1b06f84f3e4574048108fa0b Mon Sep 17 00:00:00 2001
+From: Pavel Mayorov <pmayorov@cloudlinux.com>
+Date: Mon, 20 Feb 2023 14:35:20 +0000
+Subject: [PATCH] patch 9.0.1331: illegal memory access when using :ball in
+ Visual mode
+
+Problem:    Illegal memory access when using :ball in Visual mode.
+Solution:   Stop Visual mode when using :ball. (Pavel Mayorov, closes #11923)
+---
+ src/buffer.c                |  4 ++++
+ src/testdir/test_visual.vim | 19 +++++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index cb7bdf445dee..ff35729fb929 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -5319,6 +5319,10 @@ ex_buffer_all(exarg_T *eap)
+     else
+ 	all = TRUE;
+ 
++    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
++    // switching to another buffer.
++    reset_VIsual_and_resel();
++
+     setpcmark();
+ 
+ #ifdef FEAT_GUI
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 295e16f93d9d..f152e7b79ba8 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -1493,5 +1493,24 @@ func Test_visual_area_adjusted_when_hiding()
+   bwipe!
+ endfunc
+ 
++" Check fix for the heap-based buffer overflow bug found in the function
++" utfc_ptr2len and reported at
++" https://huntr.dev/bounties/ae933869-a1ec-402a-bbea-d51764c6618e
++func Test_heap_buffer_overflow()
++  enew
++  set updatecount=0
++
++  norm R0
++  split other
++  norm R000
++  exe "norm \<C-V>l"
++  ball
++  call assert_equal(getpos("."), getpos("v"))
++  call assert_equal('n', mode())
++  norm zW
++
++  %bwipe!
++  set updatecount&
++endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        9
+Release:        10
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -87,6 +87,8 @@ Patch6057:      backport-CVE-2023-0054.patch
 Patch6058:      backport-CVE-2022-47024.patch
 Patch6059:      backport-CVE-2023-0288.patch
 Patch6060:      backport-CVE-2023-0433.patch
+Patch6061:      backport-patch-9.0.0024-may-access-part-of-typeahead-buf-that-is-not-filled.patch
+Patch6062:      backport-patch-9.0.1331-illegal-memory-access-when-using-ball-in-Visual-mode.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@@ -495,6 +497,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Wed Feb 22 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-10
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:backport upstream patch to fix memory leak
+
 * Mon Feb 06 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-9
 - Type:CVE
 - ID:CVE-2023-0433