fix CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345

(cherry picked from commit d482e6c896db21013dcea1092263c13c70d9f2bb)

backport-CVE-2022-2000.patch

@@ -0,0 +1,54 @@
+From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 6 Jun 2022 15:38:21 +0100
+Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of
+ IObuff
+
+Problem:    Error for a command may go over the end of IObuff.
+Solution:   Truncate the message.
+---
+ src/ex_docmd.c               | 12 ++++++++++--
+ src/testdir/test_cmdline.vim |  5 +++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 1644573..7c00a26 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3098,9 +3098,17 @@ checkforcmd(
+     static void
+ append_command(char_u *cmd)
+ {
+-    char_u *s = cmd;
+-    char_u *d;
++    size_t  len = STRLEN(IObuff);
++    char_u  *s = cmd;
++    char_u  *d;
+ 
++    if (len > IOSIZE - 100)
++    {
++	// Not enough space, truncate and put in "...".
++	d = IObuff + IOSIZE - 100;
++	d -= mb_head_off(IObuff, d);
++	STRCPY(d, "...");
++    }
+     STRCAT(IObuff, ": ");
+     d = IObuff + STRLEN(IObuff);
+     while (*s != NUL && d - IObuff + 5 < IOSIZE)
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 2588a0d..735b0a5 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -930,4 +930,9 @@ func Test_cmdline_expr_register()
+   exe "sil! norm! ?\<C-\>e0\<C-R>0\<Esc>?\<C-\>e0\<CR>"
+ endfunc
+ 
++func Test_long_error_message()
++  " the error should be truncated, not overrun IObuff
++  silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+

backport-CVE-2022-2042.patch

@@ -0,0 +1,83 @@
+From 2813f38e021c6e6581c0c88fcf107e41788bc835 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 9 Jun 2022 19:54:24 +0100
+Subject: [PATCH] patch 8.2.5072: using uninitialized value and freed memory in
+ spell command
+
+Problem:    Using uninitialized value and freed memory in spell command.
+Solution:   Initialize "attr".  Check for empty line early.
+---
+ src/spell.c                     | 10 +++++++---
+ src/testdir/test_spell_utf8.vim | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index d8310fa..5b25950 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1254,7 +1254,7 @@ spell_move_to(
+     char_u	*line;
+     char_u	*p;
+     char_u	*endp;
+-    hlf_T	attr;
++    hlf_T	attr = 0;
+     int		len;
+ #ifdef FEAT_SYN_HL
+     int		has_syntax = syntax_present(wp);
+@@ -1287,6 +1287,8 @@ spell_move_to(
+ 
+     while (!got_int)
+     {
++	int empty_line;
++
+ 	line = ml_get_buf(wp->w_buffer, lnum, FALSE);
+ 
+ 	len = (int)STRLEN(line);
+@@ -1319,7 +1321,9 @@ spell_move_to(
+ 	}
+ 
+ 	// Copy the line into "buf" and append the start of the next line if
+-	// possible.
++	// possible.  Note: this ml_get_buf() may make "line" invalid, check
++	// for empty line first.
++	empty_line = *skipwhite(line) == NUL;
+ 	STRCPY(buf, line);
+ 	if (lnum < wp->w_buffer->b_ml.ml_line_count)
+ 	    spell_cat_line(buf + STRLEN(buf),
+@@ -1467,7 +1471,7 @@ spell_move_to(
+ 	    --capcol;
+ 
+ 	    // But after empty line check first word in next line
+-	    if (*skipwhite(line) == NUL)
++	    if (empty_line)
+ 		capcol = 0;
+ 	}
+ 
+diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
+index 491a406..efdecdc 100644
+--- a/src/testdir/test_spell_utf8.vim
++++ b/src/testdir/test_spell_utf8.vim
+@@ -797,5 +797,20 @@ func Test_word_index()
+   call delete('Xtmpfile')
+ endfunc
+ 
++func Test_check_empty_line()
++  " This was using freed memory
++  enew
++  spellgood! fl
++  norm z=
++  norm yy
++  sil! norm P]svc
++  norm P]s
++
++  " set 'encoding' to clear the wordt list
++  set enc=latin1
++  set enc=utf-8
++  bwipe!
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+

backport-CVE-2022-2284.patch

@@ -0,0 +1,48 @@
+From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 15:26:15 +0100
+Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the line
+
+Problem:    Accessing memory beyond the end of the line.
+Solution:   Stop Visual mode when closing a window.
+---
+ src/testdir/test_visual.vim | 12 ++++++++++++
+ src/window.c                |  2 ++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index d21f8f1..ebb6f27 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -966,3 +966,15 @@ func Test_visual_block_with_substitute()
+   bwipe!
+ endfunc
+ 
++func Test_visual_area_adjusted_when_hiding()
++  " The Visual area ended after the end of the line after :hide
++  call setline(1, 'xxx')
++  vsplit Xfile
++  call setline(1, 'xxxxxxxx')
++  norm! $o
++  hid
++  norm! zW
++  bwipe!
++  bwipe!
++endfunc
++
+diff --git a/src/window.c b/src/window.c
+index d8091f9..e0df540 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -2506,6 +2506,8 @@ win_close(win_T *win, int free_buf)
+ 	 */
+ 	if (wp->w_buffer != curbuf)
+ 	{
++	    reset_VIsual_and_resel();	// stop Visual mode
++
+ 	    other_buffer = TRUE;
+ 	    win->w_closing = TRUE;
+ 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
+-- 
+1.8.3.1
+

backport-CVE-2022-2285.patch

@@ -0,0 +1,44 @@
+From 27efc62f5d86afcb2ecb7565587fe8dea4b036fe Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 16:35:45 +0100
+Subject: [PATCH] patch 9.0.0018: going over the end of the typahead
+
+Problem:    Going over the end of the typahead.
+Solution:   Put a NUL after the typeahead.
+---
+ src/term.c                   | 1 +
+ src/testdir/test_mapping.vim | 9 +++++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/src/term.c b/src/term.c
+index 307e3bf..ee80f0f 100644
+--- a/src/term.c
++++ b/src/term.c
+@@ -4419,6 +4419,7 @@ check_termcode(
+ 	if (*tp == ESC && !p_ek && (State & INSERT))
+ 	    continue;
+ 
++	tp[len] = NUL;
+ 	key_name[0] = NUL;	// no key name found yet
+ 	key_name[1] = NUL;	// no key name found yet
+ 	modifiers = 0;		// no modifiers yet
+diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
+index d3abaff..55e6af0 100644
+--- a/src/testdir/test_mapping.vim
++++ b/src/testdir/test_mapping.vim
+@@ -492,3 +492,12 @@ func Test_expr_map_restore_cursor()
+   call StopVimInTerminal(buf)
+   call delete('XtestExprMap')
+ endfunc
++
++func Test_using_past_typeahead()
++  nnoremap :00 0
++  exe "norm :set \x80\xfb0=0\<CR>"
++  exe "sil norm :0\x0f\<C-U>\<CR>"
++
++  exe "norm :set \x80\xfb0=\<CR>"
++  nunmap :00
++endfunc
+-- 
+1.8.3.1
+

backport-CVE-2022-2304.patch

@@ -0,0 +1,55 @@
+From 54e5fed6d27b747ff152cdb6edfb72ff60e70939 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 4 Jul 2022 13:37:07 +0100
+Subject: [PATCH] patch 9.0.0035: spell dump may go beyond end of an array
+
+Problem:    Spell dump may go beyond end of an array.
+Solution:   Limit the word length.
+---
+ src/spell.c                |  5 +++--
+ src/testdir/test_spell.vim | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index 5b25950..1d7a1ae 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -3958,9 +3958,10 @@ spell_dump_compl(
+ 		    n = arridx[depth] + curi[depth];
+ 		    ++curi[depth];
+ 		    c = byts[n];
+-		    if (c == 0)
++		    if (c == 0 || depth >= MAXWLEN - 1)
+ 		    {
+-			// End of word, deal with the word.
++			// End of word or reached maximum length, deal with the
++			// word.
+ 			// Don't use keep-case words in the fold-case tree,
+ 			// they will appear in the keep-case tree.
+ 			// Only use the word when the region matches.
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index ff50ecd..1f79907 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -141,6 +141,18 @@ func Test_spellreall()
+   bwipe!
+ endfunc
+ 
++func Test_spell_dump_word_length()
++  " this was running over MAXWLEN
++  new
++  noremap 0 0a0zW0000000
++  sil! norm 0z=0
++  sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
++  sil! norm 0z=0
++
++  bwipe!
++  nunmap 0
++endfunc
++
+ func Test_spellsuggest_visual_end_of_line()
+   let enc_save = &encoding
+   set encoding=iso8859
+-- 
+1.8.3.1
+

backport-CVE-2022-2344.patch

@@ -0,0 +1,48 @@
+From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 7 Jul 2022 19:59:49 +0100
+Subject: [PATCH] patch 9.0.0046: reading past end of completion with duplicate
+ match
+
+Problem:    Reading past end of completion with duplicate match.
+Solution:   Check string length
+---
+ src/insexpand.c                   |  3 ++-
+ src/testdir/test_ins_complete.vim | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index bf98cee..50e0579 100644
+--- a/src/insexpand.c
++++ b/src/insexpand.c
+@@ -597,7 +597,8 @@ ins_compl_add(
+ 	{
+ 	    if (    !(match->cp_flags & CP_ORIGINAL_TEXT)
+ 		    && STRNCMP(match->cp_str, str, len) == 0
+-		    && match->cp_str[len] == NUL)
++		    && ((int)STRLEN(match->cp_str) <= len
++						 || match->cp_str[len] == NUL))
+ 		return NOTDONE;
+ 	    match = match->cp_next;
+ 	} while (match != NULL && match != compl_first_match);
+diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
+index e48a72c..8f584d3 100644
+--- a/src/testdir/test_ins_complete.vim
++++ b/src/testdir/test_ins_complete.vim
+@@ -380,3 +380,13 @@ func Test_ins_completeslash()
+   set completeslash=
+ endfunc
+ 
++func Test_ins_complete_add()
++  " this was reading past the end of allocated memory
++  new
++  norm o
++  norm 7o€€
++  sil! norm o
++
++  bwipe!
++endfunc
++
+-- 
+1.8.3.1
+

backport-CVE-2022-2345.patch

@@ -0,0 +1,78 @@
+From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 7 Jul 2022 22:20:31 +0100
+Subject: [PATCH] patch 9.0.0047: using freed memory with recursive substitute
+
+Problem:    Using freed memory with recursive substitute.
+Solution:   Always make a copy for reg_prev_sub.
+---
+ src/ex_cmds.c                     | 11 ++++++++++-
+ src/regexp.c                      |  8 ++++----
+ src/testdir/test_regexp_latin.vim | 12 ++++++++++++
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 0a22f59..5a90c2f 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -3881,7 +3881,16 @@ do_sub(exarg_T *eap)
+        sub_copy = sub;
+     }
+     else
+-	sub = regtilde(sub, p_magic);
++    {
++	char_u *newsub = regtilde(sub, p_magic);
++
++	if (newsub != sub)
++	{
++	    // newsub was allocated, free it later.
++	    sub_copy = newsub;
++	    sub = newsub;
++	}
++    }
+ 
+     /*
+      * Check for a match on each line.
+diff --git a/src/regexp.c b/src/regexp.c
+index 6849cba..c2f29c8 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -1761,11 +1761,11 @@ regtilde(char_u *source, int magic)
+ 	}
+     }
+ 
++    // Store a copy of newsub  in reg_prev_sub.  It is always allocated,
++    // because recursive calls may make the returned string invalid.
+     vim_free(reg_prev_sub);
+-    if (newsub != source)	// newsub was allocated, just keep it
+-	reg_prev_sub = newsub;
+-    else			// no ~ found, need to save newsub
+-	reg_prev_sub = vim_strsave(newsub);
++    reg_prev_sub = vim_strsave(newsub);
++
+     return newsub;
+ }
+ 
+diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
+index a242d91..b668f87 100644
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -172,3 +172,15 @@ func Test_using_invalid_visual_position()
+   /\%V
+   bwipe!
+ endfunc
++
++func Test_recursive_substitute_expr()
++  new
++  func Repl()
++    s
++  endfunc
++  silent! s/\%')/~\=Repl()
++
++  bwipe!
++  delfunc Repl
++endfunc
++
+-- 
+1.8.3.1
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        49
+Release:        50
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -139,6 +139,13 @@ Patch6102:      backport-cannot-list-options-one-per-line.patch
 Patch6103:      backport-CVE-2022-2207.patch
 Patch6104:      backport-CVE-2022-2208.patch
 Patch6105:      backport-test-for-DiffUpdated-fails.patch
+Patch6106:      backport-CVE-2022-2000.patch
+Patch6107:      backport-CVE-2022-2042.patch
+Patch6108:      backport-CVE-2022-2284.patch
+Patch6109:      backport-CVE-2022-2285.patch
+Patch6110:      backport-CVE-2022-2304.patch
+Patch6111:      backport-CVE-2022-2344.patch
+Patch6112:      backport-CVE-2022-2345.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -527,6 +534,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Jul 11 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-50
+- Type:CVE
+- ID:CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345
+- SUG:NA
+- DESC:fix CVE-2022-2000 CVE-2022-2042 CVE-2022-2284 CVE-2022-2285 CVE-2022-2304 CVE-2022-2344 CVE-2022-2345
+
 * Fri Jul 08 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-49
 - Type:CVE
 - ID:CVE-2022-2207 CVE-2022-2208