fix CVE-2022-2522

(cherry picked from commit 80812864e370675e4ce8aaa8188a797bf10f4843)

backport-CVE-2022-2343.patch

@@ -40,8 +40,7 @@ index 3b4d530..e8ba82e 100644
      int		was_letter = FALSE;
 +    garray_T	gap;
  
--    IObuff[0] = NUL;
-+    vim_memset(IObuff, NUL, IOSIZE * sizeof(char_u));
+     IObuff[0] = NUL;
  
      // Allocate wide character array for the completion and fill it.
 -    wca = ALLOC_MULT(int, actual_len);

backport-CVE-2022-2522.patch

@@ -0,0 +1,46 @@
+From b9e717367c395490149495cf375911b5d9de889e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 23 Jul 2022 06:53:08 +0100
+Subject: [PATCH] patch 9.0.0060: accessing uninitialized memory when
+ completing long line
+
+Problem:    Accessing uninitialized memory when completing long line.
+Solution:   Terminate string with NUL.
+---
+ src/insexpand.c                   | 1 +
+ src/testdir/test_ins_complete.vim | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index b1114b5..88dbac6 100644
+--- a/src/insexpand.c
++++ b/src/insexpand.c
+@@ -526,6 +526,7 @@ ins_compl_infercase_gettext(
+ 	    // growarray.  Add the character in the next round.
+ 	    if (ga_grow(&gap, IOSIZE) == FAIL)
+ 		return (char_u *)"[failed]";
++	    *p = NUL;
+ 	    STRCPY(gap.ga_data, IObuff);
+ 	    gap.ga_len = (int)STRLEN(IObuff);
+ 	}
+diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
+index aa054f2..5e7353c 100644
+--- a/src/testdir/test_ins_complete.vim
++++ b/src/testdir/test_ins_complete.vim
+@@ -408,6 +408,13 @@ func Test_infercase_very_long_line()
+   exe "normal 2Go\<C-X>\<C-L>\<Esc>"
+   call assert_equal(longLine, getline(3))
+ 
++  " check that the too long text is NUL terminated
++  %del
++  norm o
++  norm 1987ax
++  exec "norm ox\<C-X>\<C-L>"
++  call assert_equal(repeat('x', 1987), getline(3))
++
+   bwipe!
+   set noic noinfercase
+ endfunc
+-- 
+2.27.0
+

backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch

@@ -0,0 +1,43 @@
+From 8fb1b47a5e24892b23c3923a07d8a850d99b14b2 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 23 Feb 2020 16:16:26 +0100
+Subject: [PATCH] patch 8.2.0310: autocmd test fails on a slow system
+
+Problem:    Autocmd test fails on a slow system.
+Solution:   Adjust the expectations. (James McCoy, closes #5685)
+---
+ src/testdir/test_autocmd.vim | 12 +++++++-----
+ 1 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 2ff231d..8a1d5d8 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -2245,17 +2245,19 @@ func Test_autocmd_SafeState()
+   call writefile(lines, 'XSafeState')
+   let buf = RunVimInTerminal('-S XSafeState', #{rows: 6})
+ 
+-  " Sometimes we loop to handle an K_IGNORE
++  " Sometimes we loop to handle a K_IGNORE, SafeState may be trigered once or
++  " more often.
+   call term_sendkeys(buf, ":echo g:safe\<CR>")
+-  call WaitForAssert({-> assert_match('^[12] ', term_getline(buf, 6))}, 1000)
++  call WaitForAssert({-> assert_match('^\d ', term_getline(buf, 6))}, 1000)
+ 
++  " SafeStateAgain should be invoked at least three times
+   call term_sendkeys(buf, ":echo g:again\<CR>")
+-  call WaitForAssert({-> assert_match('^xxxx', term_getline(buf, 6))}, 1000)
++  call WaitForAssert({-> assert_match('^xxx', term_getline(buf, 6))}, 1000)
+ 
+   call term_sendkeys(buf, ":let g:again = ''\<CR>:call CallTimer()\<CR>")
+-  call term_wait(buf, 50)
++  call term_wait(buf, 100)
+   call term_sendkeys(buf, ":\<CR>")
+-  call term_wait(buf, 50)
++  call term_wait(buf, 100)
+   call term_sendkeys(buf, ":echo g:again\<CR>")
+   call WaitForAssert({-> assert_match('xtx', term_getline(buf, 6))}, 1000)
+ 
+-- 
+1.8.3.1
+

backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch

@@ -0,0 +1,27 @@
+From c7bd2f08e531f08723cdc677212a3633d11c9a97 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 15 Jul 2022 20:45:20 +0100
+Subject: [PATCH] patch 9.0.0054: compiler warning for size_t to int conversion
+
+Problem:    Compiler warning for size_t to int conversion.
+Solution:   Add type cast. (Mike Williams, closes #10741)
+---
+ src/insexpand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/insexpand.c b/src/insexpand.c
+index 1a64c57..b1114b5 100644
+--- a/src/insexpand.c
++++ b/src/insexpand.c
+@@ -527,7 +527,7 @@ ins_compl_infercase_gettext(
+ 	    if (ga_grow(&gap, IOSIZE) == FAIL)
+ 		return (char_u *)"[failed]";
+ 	    STRCPY(gap.ga_data, IObuff);
+-	    gap.ga_len = STRLEN(IObuff);
++	    gap.ga_len = (int)STRLEN(IObuff);
+ 	}
+ 	else if (has_mbyte)
+ 	    p += (*mb_char2bytes)(wca[i++], p);
+-- 
+2.27.0
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        55
+Release:        56
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -157,6 +157,9 @@ Patch6120: 	backport-CVE-2022-2210.patch
 Patch6121:      backport-CVE-2022-2289.patch
 Patch6122:      backport-patch-8.2.3953-insert-completion-code-is-too-complic.patch
 Patch6123:      backport-CVE-2022-2343.patch
+Patch6124:      backport-patch-9.0.0054-compiler-warning-for-size_t-to-int-conversion.patch
+Patch6125:      backport-CVE-2022-2522.patch
+Patch6126:      backport-patch-8.2.0310-autocmd-test-fails-on-a-slow-system.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -545,6 +548,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon Aug 01 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-56
+- Type:CVE
+- ID:CVE-2022-2522
+- SUG:NA
+- DESC:fix CVE-2022-2522
+
 * Fri Jul 22 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-55
 - Type:bugfix
 - ID:NA