!219 fix CVE-2022-1733 CVE-2022-1735

From: @tong_1001 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1

backport-CVE-2022-1733.patch

@@ -0,0 +1,44 @@
+From 60ae0e71490c97f2871a6344aca61cacf220f813 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 16 May 2022 18:06:15 +0100
+Subject: [PATCH] patch 8.2.4968: reading past end of the line when C-indenting
+
+Problem:    Reading past end of the line when C-indenting.
+Solution:   Check for NUL.
+---
+ src/cindent.c                | 2 +-
+ src/testdir/test_cindent.vim | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/cindent.c b/src/cindent.c
+index 28d1558..1b2763f 100644
+--- a/src/cindent.c
++++ b/src/cindent.c
+@@ -91,7 +91,7 @@ skip_string(char_u *p)
+ 		while (vim_isdigit(p[i - 1]))   // '\000'
+ 		    ++i;
+ 	    }
+-	    if (p[i] == '\'')		    // check for trailing '
++	    if (p[i - 1] != NUL && p[i] == '\'')    // check for trailing '
+ 	    {
+ 		p += i;
+ 		continue;
+diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
+index 2a87460..3b2200a 100644
+--- a/src/testdir/test_cindent.vim
++++ b/src/testdir/test_cindent.vim
+@@ -5263,4 +5263,11 @@ func Test_find_brace_backwards()
+ endfunc
+ 
+ 
++" This was reading past the end of the line
++func Test_cindent_check_funcdecl()
++  new
++  sil norm o0('\0=L
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+1.8.3.1
+

backport-CVE-2022-1735.patch

@@ -0,0 +1,122 @@
+From 7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 16 May 2022 19:40:59 +0100
+Subject: [PATCH] patch 8.2.4969: changing text in Visual mode may cause
+ invalid memory access
+
+Problem:    Changing text in Visual mode may cause invalid memory access.
+Solution:   Check the Visual position after making a change.
+---
+ src/change.c                |  3 +++
+ src/edit.c                  | 12 ++----------
+ src/misc2.c                 | 25 +++++++++++++++++++++++++
+ src/proto/misc2.pro         |  1 +
+ src/testdir/test_visual.vim | 10 ++++++++++
+ 5 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/src/change.c b/src/change.c
+index f2dfc93..a5ebbdf 100644
+--- a/src/change.c
++++ b/src/change.c
+@@ -523,6 +523,9 @@ changed_common(
+ #endif
+     }
+ 
++    if (VIsual_active)
++	check_visual_pos();
++
+     FOR_ALL_TAB_WINDOWS(tp, wp)
+     {
+ 	if (wp->w_buffer == curbuf)
+diff --git a/src/edit.c b/src/edit.c
+index f77cc05..0dd6b93 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -3101,16 +3101,8 @@ stop_insert(
+ 
+ 	    // <C-S-Right> may have started Visual mode, adjust the position for
+ 	    // deleted characters.
+-	    if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum)
+-	    {
+-		int len = (int)STRLEN(ml_get_curline());
+-
+-		if (VIsual.col > len)
+-		{
+-		    VIsual.col = len;
+-		    VIsual.coladd = 0;
+-		}
+-	    }
++	    if (VIsual_active)
++		check_visual_pos();
+ 	}
+     }
+     did_ai = FALSE;
+diff --git a/src/misc2.c b/src/misc2.c
+index 80731f0..51244da 100644
+--- a/src/misc2.c
++++ b/src/misc2.c
+@@ -618,6 +618,31 @@ check_cursor(void)
+     check_cursor_col();
+ }
+ 
++/*
++ * Check if VIsual position is valid, correct it if not.
++ * Can be called when in Visual mode and a change has been made.
++ */
++    void
++check_visual_pos(void)
++{
++    if (VIsual.lnum > curbuf->b_ml.ml_line_count)
++    {
++	VIsual.lnum = curbuf->b_ml.ml_line_count;
++	VIsual.col = 0;
++	VIsual.coladd = 0;
++    }
++    else
++    {
++	int len = (int)STRLEN(ml_get(VIsual.lnum));
++
++	if (VIsual.col > len)
++	{
++	    VIsual.col = len;
++	    VIsual.coladd = 0;
++	}
++    }
++}
++
+ #if defined(FEAT_TEXTOBJ) || defined(PROTO)
+ /*
+  * Make sure curwin->w_cursor is not on the NUL at the end of the line.
+diff --git a/src/proto/misc2.pro b/src/proto/misc2.pro
+index a52b462..6e6e22d 100644
+--- a/src/proto/misc2.pro
++++ b/src/proto/misc2.pro
+@@ -17,6 +17,7 @@ void check_cursor_lnum(void);
+ void check_cursor_col(void);
+ void check_cursor_col_win(win_T *win);
+ void check_cursor(void);
++void check_visual_pos(void);
+ void adjust_cursor_col(void);
+ int leftcol_changed(void);
+ void vim_mem_profile_dump(void);
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 4f8f056..d21f8f1 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -956,3 +956,13 @@ func Test_visual_block_insert_round_off()
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_with_substitute()
++  " this was reading beyond the end of the line
++  new
++  norm a0)
++  sil! norm  O
++  s/)
++  sil! norm 
++  bwipe!
++endfunc
++
+-- 
+1.8.3.1
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        34
+Release:        35
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -104,6 +104,8 @@ Patch6067:      backport-CVE-2022-1621.patch
 Patch6068:      backport-spell-test-fails-because-of-new-illegal-byte-check.patch
 Patch6069:      backport-command-line-editing-not-sufficiently-tested.patch
 Patch6070:      backport-CVE-2022-1619.patch
+Patch6071:      backport-CVE-2022-1733.patch
+Patch6072:      backport-CVE-2022-1735.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -492,6 +494,12 @@ popd
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue May 31 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-35
+- Type:CVE
+- ID:CVE-2022-1733 CVE-2022-1735
+- SUG:NA
+- DESC:fix CVE-2022-1733 CVE-2022-1735
+
 * Sat May 21 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-34
 - Type:CVE
 - ID:CVE-2022-1629 CVE-2022-1620 CVE-2022-1674 CVE-2022-1621 CVE-2022-1619