!597 [sync] PR-593: fix CVE-2023-48706 and modify line-Number error

From: @openeuler-sync-bot 
Reviewed-by: @gaoruoshu 
Signed-off-by: @gaoruoshu

backport-CVE-2023-46246.patch

@@ -0,0 +1,102 @@
+From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 26 Oct 2023 21:29:32 +0200
+Subject: [PATCH] patch 9.0.2068: [security] overflow in :history
+
+Problem:  [security] overflow in :history
+Solution: Check that value fits into int
+
+The get_list_range() function, used to parse numbers for the :history
+and :clist command internally uses long variables to store the numbers.
+However function arguments are integer pointers, which can then
+overflow.
+
+Check that the return value from the vim_str2nr() function is not larger
+than INT_MAX and if yes, bail out with an error. I guess nobody uses a
+cmdline/clist history that needs so many entries... (famous last words).
+
+It is only a moderate vulnerability, so impact should be low.
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/cmdhist.c                |  5 ++++-
+ src/errors.h                 |  2 ++
+ src/ex_getln.c               | 10 +++++++++-
+ src/testdir/test_history.vim |  8 ++++++++
+ 4 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/cmdhist.c b/src/cmdhist.c
+index d398ca7a687b5..96a9b3e95b86f 100644
+--- a/src/cmdhist.c
++++ b/src/cmdhist.c
+@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
+ 	end = arg;
+     if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
+     {
+-	semsg(_(e_trailing_characters_str), end);
++	if (*end != NUL)
++	    semsg(_(e_trailing_characters_str), end);
++	else
++	    semsg(_(e_val_too_large), arg);
+ 	return;
+     }
+ 
+diff --git a/src/errors.h b/src/errors.h
+index 79a785e1e2953..72957d8b93bdc 100644
+--- a/src/errors.h
++++ b/src/errors.h
+@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
+ #endif
+ EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
+ 	INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
++EXTERN char e_val_too_large[]
++	INIT(= N_("E1510: Value too large: %s"));
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 9683e2ebd5af5..8f0be520886be 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
+     {
+ 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
+ 	*str += len;
++	// overflow
++	if (num > INT_MAX)
++	    return FAIL;
++
+ 	*num1 = (int)num;
+ 	first = TRUE;
+     }
+@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
+ 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
+ 	if (len > 0)
+ 	{
+-	    *num2 = (int)num;
+ 	    *str = skipwhite(*str + len);
++	    // overflow
++	    if (num > INT_MAX)
++		return FAIL;
++
++	    *num2 = (int)num;
+ 	}
+ 	else if (!first)		// no number given at all
+ 	    return FAIL;
+diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
+index bb6d67172585e..482328ab4aaef 100644
+--- a/src/testdir/test_history.vim
++++ b/src/testdir/test_history.vim
+@@ -249,4 +249,12 @@ func Test_history_crypt_key()
+   set key& bs& ts&
+ endfunc
+ 
++" The following used to overflow and causing an use-after-free
++func Test_history_max_val()
++
++  set history=10
++  call assert_fails(':history 2147483648', 'E1510:')
++  set history&
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

backport-CVE-2023-4781.patch

@@ -31,7 +31,7 @@ diff --git a/src/window.c b/src/window.c
 index 1af2395df..f77ede330 100644
 --- a/src/window.c
 +++ b/src/window.c
-@@ -1738,6 +1738,11 @@ win_exchange(long Prenum)
+@@ -1646,6 +1646,11 @@ win_exchange(long Prenum)
  	beep_flush();
  	return;
      }

backport-CVE-2023-48231.patch

@@ -0,0 +1,32 @@
+From 25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 19:31:34 +0100
+Subject: [PATCH] patch 9.0.2106: [security]: Use-after-free in win_close()
+
+Problem:  [security]: Use-after-free in win_close()
+Solution: Check window is valid, before accessing it
+
+If the current window structure is no longer valid (because a previous
+autocommand has already freed this window), fail and return before
+attempting to set win->w_closing variable.
+
+Add a test to trigger ASAN in CI
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/window.c               |   2 ++
+ 1 files changed, 2 insertions(+)
+
+diff --git a/src/window.c b/src/window.c
+index f77ede330d304..55ce31c886437 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -2606,6 +2606,8 @@ win_close(win_T *win, int free_buf)
+ 	    reset_VIsual_and_resel();	// stop Visual mode
+ 
+ 	    other_buffer = TRUE;
++	    if (!win_valid(win))
++		return FAIL;
+ 	    win->w_closing = TRUE;
+ 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
+ 	    if (!win_valid(win))

backport-CVE-2023-48233.patch

@@ -0,0 +1,112 @@
+From ac63787734fda2e294e477af52b3bd601517fa78 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 20:45:48 +0100
+Subject: [PATCH] patch 9.0.2108: [security]: overflow with count for :s
+ command
+
+Problem:  [security]: overflow with count for :s command
+Solution: Abort the :s command if the count is too large
+
+If the count after the :s command is larger than what fits into a
+(signed) long variable, abort with e_value_too_large.
+
+Adds a test with INT_MAX as count and verify it correctly fails.
+
+It seems the return value on Windows using mingw compiler wraps around,
+so the initial test using :s/./b/9999999999999999999999999990 doesn't
+fail there, since the count is wrapping around several times and finally
+is no longer larger than 2147483647. So let's just use 2147483647 in the
+test, which hopefully will always cause a failure
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/doc/change.txt          | 8 ++++----
+ runtime/doc/cmdline.txt         | 3 ++-
+ runtime/doc/tags                | 1 +
+ src/ex_cmds.c                   | 7 +++++++
+ src/testdir/test_substitute.vim | 1 +
+ 5 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/runtime/doc/change.txt b/runtime/doc/change.txt
+index 65da9a7c6b92b..dccaa44c89922 100644
+--- a/runtime/doc/change.txt
++++ b/runtime/doc/change.txt
+@@ -1,4 +1,4 @@
+-*change.txt*    For Vim version 9.0.  Last change: 2022 May 26
++*change.txt*    For Vim version 9.0.  Last change: 2023 Nov 15
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -635,9 +635,9 @@ For other systems the tmpnam() library function is used.
+ 			current line only.  When [count] is given, replace in
+ 			[count] lines, starting with the last line in [range].
+ 			When [range] is omitted start in the current line.
+-							*E939*
+-			[count] must be a positive number.  Also see
+-			|cmdline-ranges|.
++							*E939* *E1510*
++			[count] must be a positive number (max 2147483647)
++			Also see |cmdline-ranges|.
+ 
+ 			See |:s_flags| for [flags].
+ 			The delimiter doesn't need to be /, see
+diff --git a/runtime/doc/cmdline.txt b/runtime/doc/cmdline.txt
+index c5d0096ddb74c..cbcf0ad274fe2 100644
+--- a/runtime/doc/cmdline.txt
++++ b/runtime/doc/cmdline.txt
+@@ -1,4 +1,4 @@
+-*cmdline.txt*   For Vim version 9.0.  Last change: 2022 Jun 16
++*cmdline.txt*   For Vim version 9.0.  Last change: 2023 Nov 15
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -359,6 +359,7 @@ terminals)
+ 		A positive number represents the absolute index of an entry
+ 		as it is given in the first column of a :history listing.
+ 		This number remains fixed even if other entries are deleted.
++		(see |E1510|)
+ 
+ 		A negative number means the relative position of an entry,
+ 		counted from the newest entry (which has index -1) backwards.
+diff --git a/runtime/doc/tags b/runtime/doc/tags
+index f49061aa21064..0021ddb127793 100644
+--- a/runtime/doc/tags
++++ b/runtime/doc/tags
+@@ -4300,6 +4300,7 @@ E149	helphelp.txt	/*E149*
+ E15	eval.txt	/*E15*
+ E150	helphelp.txt	/*E150*
+ E151	helphelp.txt	/*E151*
++E1510	change.txt	/*E1510*
+ E152	helphelp.txt	/*E152*
+ E153	helphelp.txt	/*E153*
+ E154	helphelp.txt	/*E154*
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 3544092d65b11..c5f912e7ee57f 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -3940,6 +3940,13 @@ ex_substitute(exarg_T *eap)
+ 	    emsg(_(e_positive_count_required));
+ 	    return;
+ 	}
++	else if (i >= INT_MAX)
++	{
++	    char	buf[20];
++	    vim_snprintf(buf, sizeof(buf), "%ld", i);
++	    semsg(_(e_val_too_large), buf);
++	    return;
++	}
+ 	eap->line1 = eap->line2;
+ 	eap->line2 += i - 1;
+ 	if (eap->line2 > curbuf->b_ml.ml_line_count)
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index b99d0e0058270..3ed159799f5cc 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -205,6 +205,7 @@ func Test_substitute_count()
+   call assert_equal(['foo foo', 'foo foo', 'foo foo', 'bar foo', 'bar foo'],
+         \           getline(1, '$'))
+ 
++  call assert_fails('s/./b/2147483647', 'E1510:')
+   bwipe!
+ endfunc
+ 

backport-CVE-2023-48234.patch

@@ -0,0 +1,50 @@
+From 58f9befca1fa172068effad7f2ea5a9d6a7b0cca Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 21:02:30 +0100
+Subject: [PATCH] patch 9.0.2109: [security]: overflow in nv_z_get_count
+
+Problem:  [security]: overflow in nv_z_get_count
+Solution: break out, if count is too large
+
+When getting the count for a normal z command, it may overflow for large
+counts given. So verify, that we can safely store the result in a long.
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/normal.c                | 7 +++++++
+ src/testdir/test_normal.vim | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/normal.c b/src/normal.c
+index a06d61e6fce7d..16b4b45069329 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -2567,7 +2567,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
+ 	if (nchar == K_DEL || nchar == K_KDEL)
+ 	    n /= 10;
+ 	else if (VIM_ISDIGIT(nchar))
++	{
++	    if (n > LONG_MAX / 10)
++	    {
++		clearopbeep(cap->oap);
++		break;
++	    }
+ 	    n = n * 10 + (nchar - '0');
++	}
+ 	else if (nchar == CAR)
+ 	{
+ #ifdef FEAT_GUI
+diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
+index c7d37f066f208..6b889f46b3dd7 100644
+--- a/src/testdir/test_normal.vim
++++ b/src/testdir/test_normal.vim
+@@ -3757,4 +3757,9 @@ func Test_normal33_g_cmd_nonblank()
+   bwipe!
+ endfunc
+ 
++func Test_normal34_zet_large()
++  " shouldn't cause overflow
++  norm! z9765405999999999999
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

backport-CVE-2023-48235.patch

@@ -0,0 +1,50 @@
+From 060623e4a3bc72b011e7cd92bedb3bfb64e06200 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 21:33:29 +0100
+Subject: [PATCH] patch 9.0.2110: [security]: overflow in ex address parsing
+
+Problem:  [security]: overflow in ex address parsing
+Solution: Verify that lnum is positive, before substracting from
+          LONG_MAX
+
+[security]: overflow in ex address parsing
+
+When parsing relative ex addresses one may unintentionally cause an
+overflow (because LONG_MAX - lnum will overflow for negative addresses).
+
+So verify that lnum is actually positive before doing the overflow
+check.
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/ex_docmd.c             | 2 +-
+ src/testdir/test_excmd.vim | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 06837ac92c55c..01d411a632ccf 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -4603,7 +4603,7 @@ get_address(
+ 		    lnum -= n;
+ 		else
+ 		{
+-		    if (n >= LONG_MAX - lnum)
++		    if (lnum >= 0 && n >= LONG_MAX - lnum)
+ 		    {
+ 			emsg(_(e_line_number_out_of_range));
+ 			goto error;
+diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
+index 3637351f636c0..47fc26726d5e6 100644
+--- a/src/testdir/test_excmd.vim
++++ b/src/testdir/test_excmd.vim
+@@ -725,5 +725,9 @@ func Test_write_after_rename()
+   bwipe!
+ endfunc
+ 
++" catch address lines overflow
++func Test_ex_address_range_overflow()
++  call assert_fails(':--+foobar', 'E492:')
++endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab

backport-CVE-2023-48236.patch

@@ -0,0 +1,53 @@
+From 73b2d3790cad5694fc0ed0db2926e4220c48d968 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 21:58:26 +0100
+Subject: [PATCH] patch 9.0.2111: [security]: overflow in get_number
+
+Problem:  [security]: overflow in get_number
+Solution: Return 0 when the count gets too large
+
+[security]: overflow in get_number
+
+When using the z= command, we may overflow the count with values larger
+than MAX_INT. So verify that we do not overflow and in case when an
+overflow is detected, simply return 0
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/misc1.c                | 2 ++
+ src/testdir/test_spell.vim | 9 +++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/misc1.c b/src/misc1.c
+index 5b008c614a9bb..5f9828ebe9544 100644
+--- a/src/misc1.c
++++ b/src/misc1.c
+@@ -951,6 +951,8 @@ get_number(
+ 	c = safe_vgetc();
+ 	if (VIM_ISDIGIT(c))
+ 	{
++	    if (n > INT_MAX / 10)
++		return 0;
+ 	    n = n * 10 + c - '0';
+ 	    msg_putchar(c);
+ 	    ++typed;
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index be0bc55810f0e..1ddcd83d5117e 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -965,6 +965,15 @@ func Test_spell_screendump()
+   call delete('XtestSpell')
+ endfunc
+ 
++func Test_z_equal_with_large_count()
++  split
++  set spell
++  call setline(1, "ff")
++  norm 0z=337203685477580
++  set nospell
++  bwipe!
++endfunc
++
+ let g:test_data_aff1 = [
+       \"SET ISO8859-1",
+       \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",

backport-CVE-2023-48237.patch

@@ -0,0 +1,97 @@
+From 6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 14 Nov 2023 22:42:59 +0100
+Subject: [PATCH] patch 9.0.2112: [security]: overflow in shift_line
+
+Problem:  [security]: overflow in shift_line
+Solution: allow a max indent of INT_MAX
+
+[security]: overflow in shift_line
+
+When shifting lines in operator pending mode and using a very large
+value, we may overflow the size of integer. Fix this by using a long
+variable, testing if the result would be larger than INT_MAX and if so,
+indent by INT_MAX value.
+
+Special case: We cannot use long here, since on 32bit architectures (or
+on Windows?), it typically cannot take larger values than a plain int,
+so we have to use long long count, decide whether the resulting
+multiplication of the shiftwidth value * amount is larger than INT_MAX
+and if so, we will store INT_MAX as possible larges value in the long
+long count variable.
+
+Then we can safely cast it back to int when calling the functions to set
+the indent (set_indent() or change_indent()). So this should be safe.
+
+Add a test that when using a huge value in operator pending mode for
+shifting, we will shift by INT_MAX
+
+closes: #13535
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/ops.c                   | 15 ++++++++++-----
+ src/testdir/test_indent.vim | 11 +++++++++++
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index c0a2981d68770..ecd7fc2170c58 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -226,11 +226,11 @@ shift_line(
+     int	amount,
+     int call_changed_bytes)	// call changed_bytes()
+ {
+-    int		count;
++    long long	count;
+     int		i, j;
+     int		sw_val = (int)get_sw_value_indent(curbuf);
+ 
+-    count = get_indent();	// get current indent
++    count = (long long)get_indent();	// get current indent
+ 
+     if (round)			// round off indent
+     {
+@@ -257,14 +257,19 @@ shift_line(
+ 		count = 0;
+ 	}
+ 	else
+-	    count += sw_val * amount;
++	{
++	    if ((long long)sw_val * (long long)amount > INT_MAX - count)
++		count = INT_MAX;
++	    else
++		count += (long long)sw_val * (long long)amount;
++	}
+     }
+ 
+     // Set new indent
+     if (State & VREPLACE_FLAG)
+-	change_indent(INDENT_SET, count, FALSE, NUL, call_changed_bytes);
++	change_indent(INDENT_SET, (int)count, FALSE, NUL, call_changed_bytes);
+     else
+-	(void)set_indent(count, call_changed_bytes ? SIN_CHANGED : 0);
++	(void)set_indent((int)count, call_changed_bytes ? SIN_CHANGED : 0);
+ }
+ 
+ /*
+diff --git a/src/testdir/test_indent.vim b/src/testdir/test_indent.vim
+index 96e9d2300883c..217a7ae625072 100644
+--- a/src/testdir/test_indent.vim
++++ b/src/testdir/test_indent.vim
+@@ -276,4 +276,15 @@ func Test_formatting_keeps_first_line_indent()
+   bwipe!
+ endfunc
+ 
++" Test for indenting with large amount, causes overflow
++func Test_indent_overflow_count()
++  new
++  setl sw=8
++  call setline(1, "abc")
++  norm! V2147483647>
++  " indents by INT_MAX
++  call assert_equal(2147483647, indent(1))
++  close!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

backport-CVE-2023-48706.patch

@@ -0,0 +1,287 @@
+From 26c11c56888d01e298cd8044caf860f3c26f57bb Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 22 Nov 2023 21:26:41 +0100
+Subject: [PATCH] patch 9.0.2121: [security]: use-after-free in ex_substitute
+
+Problem:  [security]: use-after-free in ex_substitute
+Solution: always allocate memory
+
+closes: #13552
+
+A recursive :substitute command could cause a heap-use-after free in Vim
+(CVE-2023-48706).
+
+The whole reproducible test is a bit tricky, I can only reproduce this
+reliably when no previous substitution command has been used yet
+(which is the reason, the test needs to run as first one in the
+test_substitute.vim file) and as a combination of the `:~` command
+together with a :s command that contains the special substitution atom `~\=`
+which will make use of a sub-replace special atom and calls a vim script
+function.
+
+There was a comment in the existing :s code, that already makes the
+`sub` variable allocate memory so that a recursive :s call won't be able
+to cause any issues here, so this was known as a potential problem
+already.  But for the current test-case that one does not work, because
+the substitution does not start with `\=` but with `~\=` (and since
+there does not yet exist a previous substitution atom, Vim will simply
+increment the `sub` pointer (which then was not allocated dynamically)
+and later one happily use a sub-replace special expression (which could
+then free the `sub` var).
+
+The following commit fixes this, by making the sub var always using
+allocated memory, which also means we need to free the pointer whenever
+we leave the function. Since sub is now always an allocated variable,
+we also do no longer need the sub_copy variable anymore, since this one
+was used to indicated when sub pointed to allocated memory (and had
+therefore to be freed on exit) and when not.
+
+Github Security Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/ex_cmds.c                   | 50 ++++++++++++++++++++++++---------
+ src/testdir/test_substitute.vim | 48 +++++++++++++++++++++++++++++--
+ 2 files changed, 83 insertions(+), 15 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index c5f912e7ee57f..a08682b071fb5 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -3686,7 +3686,6 @@ ex_substitute(exarg_T *eap)
+     int		save_do_all;		// remember user specified 'g' flag
+     int		save_do_ask;		// remember user specified 'c' flag
+     char_u	*pat = NULL, *sub = NULL;	// init for GCC
+-    char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -3694,6 +3693,7 @@ ex_substitute(exarg_T *eap)
+     int		temp;
+     int		which_pat;
+     char_u	*cmd;
++    char_u	*p;
+     int		save_State;
+     linenr_T	first_line = 0;		// first changed line
+     linenr_T	last_line= 0;		// below last changed line AFTER the
+@@ -3774,8 +3774,12 @@ ex_substitute(exarg_T *eap)
+ 	 * Small incompatibility: vi sees '\n' as end of the command, but in
+ 	 * Vim we want to use '\n' to find/substitute a NUL.
+ 	 */
+-	sub = cmd;	    // remember the start of the substitution
++	p = cmd;	    // remember the start of the substitution
+ 	cmd = skip_substitute(cmd, delimiter);
++	sub = vim_strsave(p);
++	if (sub == NULL)
++	    // out of memory
++	    return;
+ 
+ 	if (!eap->skip)
+ 	{
+@@ -3786,14 +3790,22 @@ ex_substitute(exarg_T *eap)
+ 		if (old_sub == NULL)	// there is no previous command
+ 		{
+ 		    emsg(_(e_no_previous_substitute_regular_expression));
++		    vim_free(sub);
+ 		    return;
+ 		}
+-		sub = old_sub;
++		vim_free(sub);
++		sub = vim_strsave(old_sub);
++		if (sub == NULL)
++		    // out of memory
++		    return;
+ 	    }
+ 	    else
+ 	    {
+ 		vim_free(old_sub);
+ 		old_sub = vim_strsave(sub);
++		if (old_sub == NULL)
++		    // out of memory
++		    return;
+ 	    }
+ 	}
+     }
+@@ -3805,7 +3817,7 @@ ex_substitute(exarg_T *eap)
+ 	    return;
+ 	}
+ 	pat = NULL;		// search_regcomp() will use previous pattern
+-	sub = old_sub;
++	sub = vim_strsave(old_sub);
+ 
+ 	// Vi compatibility quirk: repeating with ":s" keeps the cursor in the
+ 	// last column after using "$".
+@@ -3824,7 +3836,10 @@ ex_substitute(exarg_T *eap)
+ 	linenr_T    joined_lines_count;
+ 
+ 	if (eap->skip)
++	{
++	    vim_free(sub);
+ 	    return;
++	}
+ 	curwin->w_cursor.lnum = eap->line1;
+ 	if (*cmd == 'l')
+ 	    eap->flags = EXFLAG_LIST;
+@@ -3851,6 +3866,7 @@ ex_substitute(exarg_T *eap)
+ 	    save_re_pat(RE_SUBST, pat, magic_isset());
+ 	// put pattern in history
+ 	add_to_history(HIST_SEARCH, pat, TRUE, NUL);
++	vim_free(sub);
+ 
+ 	return;
+     }
+@@ -3938,6 +3954,7 @@ ex_substitute(exarg_T *eap)
+ 	if (i <= 0 && !eap->skip && subflags.do_error)
+ 	{
+ 	    emsg(_(e_positive_count_required));
++	    vim_free(sub);
+ 	    return;
+ 	}
+ 	else if (i >= INT_MAX)
+@@ -3945,6 +3962,7 @@ ex_substitute(exarg_T *eap)
+ 	    char	buf[20];
+ 	    vim_snprintf(buf, sizeof(buf), "%ld", i);
+ 	    semsg(_(e_val_too_large), buf);
++	    vim_free(sub);
+ 	    return;
+ 	}
+ 	eap->line1 = eap->line2;
+@@ -3963,17 +3981,22 @@ ex_substitute(exarg_T *eap)
+ 	if (eap->nextcmd == NULL)
+ 	{
+ 	    semsg(_(e_trailing_characters_str), cmd);
++	    vim_free(sub);
+ 	    return;
+ 	}
+     }
+ 
+     if (eap->skip)	    // not executing commands, only parsing
++    {
++	vim_free(sub);
+ 	return;
++    }
+ 
+     if (!subflags.do_count && !curbuf->b_p_ma)
+     {
+ 	// Substitution is not allowed in non-'modifiable' buffer
+ 	emsg(_(e_cannot_make_changes_modifiable_is_off));
++	vim_free(sub);
+ 	return;
+     }
+ 
+@@ -3981,6 +4004,7 @@ ex_substitute(exarg_T *eap)
+     {
+ 	if (subflags.do_error)
+ 	    emsg(_(e_invalid_command));
++	vim_free(sub);
+ 	return;
+     }
+ 
+@@ -4001,20 +4025,20 @@ ex_substitute(exarg_T *eap)
+      */
+     if (sub[0] == '\\' && sub[1] == '=')
+     {
+-	sub = vim_strsave(sub);
+-	if (sub == NULL)
++	p = vim_strsave(sub);
++	vim_free(sub);
++	if (p == NULL)
+ 	    return;
+-	sub_copy = sub;
++	sub = p;
+     }
+     else
+     {
+-	char_u *newsub = regtilde(sub, magic_isset());
++	p = regtilde(sub, magic_isset());
+ 
+-	if (newsub != sub)
++	if (p != sub)
+ 	{
+-	    // newsub was allocated, free it later.
+-	    sub_copy = newsub;
+-	    sub = newsub;
++	    vim_free(sub);
++	    sub = p;
+ 	}
+     }
+ 
+@@ -4848,7 +4872,7 @@ ex_substitute(exarg_T *eap)
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
+-    vim_free(sub_copy);
++    vim_free(sub);
+ 
+     // Restore the flag values, they can be used for ":&&".
+     subflags.do_all = save_do_all;
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 3ed159799f5cc..7c2bbb4767705 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -3,6 +3,32 @@ source shared.vim
+ source shared.vim
+ source check.vim
+ 
++" NOTE: This needs to be the first test to be
++"       run in the file, since it depends on
++"       that the previous substitution atom
++"       was not yet set.
++"
++" recursive call of :s and sub-replace special
++" (did cause heap-use-after free in < v9.0.2121)
++func Test_aaaa_substitute_expr_recursive_special()
++  func R()
++    " FIXME: leaving out the 'n' flag leaks memory, why?
++    %s/./\='.'/gn
++  endfunc
++  new Xfoobar_UAF
++  put ='abcdef'
++  let bufnr = bufnr('%')
++  try
++    silent! :s/./~\=R()/0
++    "call assert_fails(':s/./~\=R()/0', 'E939:')
++    let @/='.'
++    ~g
++  catch /^Vim\%((\a\+)\)\=:E565:/
++  endtry
++  delfunc R
++  exe bufnr .. "bw!"
++endfunc
++
+ func Test_multiline_subst()
+   enew!
+   call append(0, ["1 aa",
+@@ -146,7 +172,6 @@ func Test_substitute_repeat()
+   call feedkeys("Qsc\<CR>y", 'tx')
+   bwipe!
+ endfunc
+-
+ " Test %s/\n// which is implemented as a special case to use a
+ " more efficient join rather than doing a regular substitution.
+ func Test_substitute_join()
+@@ -1419,4 +1444,23 @@ func Test_substitute_tilde_too_long()
+   delfunc SubExpr
+ endfunc
+ 
++" recursive call of :s using test-replace special
++func Test_substitute_expr_recursive()
++  func Q()
++    %s/./\='foobar'/gn
++    return "foobar"
++  endfunc
++  func R()
++    %s/./\=Q()/g
++  endfunc
++  new Xfoobar_UAF
++  let bufnr = bufnr('%')
++  put ='abcdef'
++  silent! s/./\=R()/g
++  call assert_fails(':%s/./\=R()/g', 'E565:')
++  delfunc R
++  delfunc Q
++  exe bufnr .. "bw!"
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

backport-CVE-2023-5441.patch

@@ -0,0 +1,35 @@
+From 20d161ace307e28690229b68584f2d84556f8960 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 5 Oct 2023 22:08:30 +0200
+Subject: [PATCH] patch 9.0.1992: [security] segfault in exmode
+
+Problem:  segfault in exmode when redrawing
+Solution: skip gui_scroll when exmode_active
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/gui.c                         | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/gui.c b/src/gui.c
+index 1f546b2a75b57..9c9aa3cbecdcf 100644
+--- a/src/gui.c
++++ b/src/gui.c
+@@ -4436,6 +4436,7 @@ gui_do_scrollbar(
+  * Scroll a window according to the values set in the globals current_scrollbar
+  * and scrollbar_value.  Return TRUE if the cursor in the current window moved
+  * or FALSE otherwise.
++ * may eventually cause a redraw using updateWindow
+  */
+     int
+ gui_do_scroll(void)
+@@ -4455,6 +4456,9 @@ gui_do_scroll(void)
+     if (wp == NULL)
+ 	// Couldn't find window
+ 	return FALSE;
++    // don't redraw, LineOffset and similar are not valid!
++    if (exmode_active)
++	return FALSE;
+ 
+     /*
+      * Compute number of lines to scroll.  If zero, nothing to do.

backport-CVE-2023-5535.patch

@@ -0,0 +1,37 @@
+From 41e6f7d6ba67b61d911f9b1d76325cd79224753d Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Wed, 11 Oct 2023 21:08:13 +0200
+Subject: [PATCH] patch 9.0.2010: [security] use-after-free from
+ buf_contents_changed()
+
+Problem:  [security] use-after-free from buf_contents_changed()
+Solution: block autocommands
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/buffer.c                            |   5 +++++
+ 1 files changed, 5 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 93f9245f27f9d..9ee74f54dd6fd 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -5902,6 +5902,9 @@ buf_contents_changed(buf_T *buf)
+     // set curwin/curbuf to buf and save a few things
+     aucmd_prepbuf(&aco, newbuf);
+ 
++    // We don't want to trigger autocommands now, they may have nasty
++    // side-effects like wiping buffers
++    block_autocmds();
+     if (ml_open(curbuf) == OK
+ 	    && readfile(buf->b_ffname, buf->b_fname,
+ 				  (linenr_T)0, (linenr_T)0, (linenr_T)MAXLNUM,
+@@ -5927,6 +5930,8 @@ buf_contents_changed(buf_T *buf)
+     if (curbuf != newbuf)	// safety check
+ 	wipe_buffer(newbuf, FALSE);
+ 
++    unblock_autocmds();
++
+     return differ;
+ }
+ 

backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding-digits.patch

@@ -0,0 +1,94 @@
+From 22cbc8a4e17ce61aa460c451a26e1bff2c3d2af9 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 19 Nov 2023 10:47:21 +0100
+Subject: [PATCH] patch 9.0.2114: overflow detection not accurate when adding
+ digits
+
+Problem:  overflow detection not accurate when adding digits
+Solution: Use a helper function
+
+Use a helper function to better detect overflows before adding integer
+digits to a long or an integer variable respectively. Signal the
+overflow to the caller function.
+
+closes: #13539
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+Signed-off-by: Michael Henry <vim@drmikehenry.com>
+Signed-off-by: Ernie Rael <errael@raelity.com>
+---
+ src/misc1.c         | 25 +++++++++++++++++++++++--
+ src/normal.c        |  3 +--
+ src/proto/misc1.pro |  2 ++
+ 3 files changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/src/misc1.c b/src/misc1.c
+index 5f9828ebe9544..dc0deae67af93 100644
+--- a/src/misc1.c
++++ b/src/misc1.c
+@@ -951,9 +951,8 @@ get_number(
+ 	c = safe_vgetc();
+ 	if (VIM_ISDIGIT(c))
+ 	{
+-	    if (n > INT_MAX / 10)
++	    if (vim_append_digit_int(&n, c - '0') == FAIL)
+ 		return 0;
+-	    n = n * 10 + c - '0';
+ 	    msg_putchar(c);
+ 	    ++typed;
+ 	}
+@@ -2755,3 +2754,25 @@ may_trigger_modechanged(void)
+     restore_v_event(v_event, &save_v_event);
+ #endif
+ }
++
++// For overflow detection, add a digit safely to an int value.
++    int
++vim_append_digit_int(int *value, int digit)
++{
++    int x = *value;
++    if (x > ((INT_MAX - digit) / 10))
++	return FAIL;
++    *value = x * 10 + digit;
++    return OK;
++}
++
++// For overflow detection, add a digit safely to a long value.
++    int
++vim_append_digit_long(long *value, int digit)
++{
++    long x = *value;
++    if (x > ((LONG_MAX - (long)digit) / 10))
++	return FAIL;
++    *value = x * 10 + (long)digit;
++    return OK;
++}
+diff --git a/src/normal.c b/src/normal.c
+index 16b4b45069329..61a19c13a43c9 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -2568,12 +2568,11 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
+ 	    n /= 10;
+ 	else if (VIM_ISDIGIT(nchar))
+ 	{
+-	    if (n > LONG_MAX / 10)
++	    if (vim_append_digit_long(&n, nchar - '0') == FAIL)
+ 	    {
+ 		clearopbeep(cap->oap);
+ 		break;
+ 	    }
+-	    n = n * 10 + (nchar - '0');
+ 	}
+ 	else if (nchar == CAR)
+ 	{
+diff --git a/src/proto/misc1.pro b/src/proto/misc1.pro
+index b87b7ea747576..2b8e9d8f264cb 100644
+--- a/src/proto/misc1.pro
++++ b/src/proto/misc1.pro
+@@ -52,4 +52,6 @@ int path_with_url(char_u *fname);
+ dict_T *get_v_event(save_v_event_T *sve);
+ void restore_v_event(dict_T *v_event, save_v_event_T *sve);
+ void may_trigger_modechanged(void);
++int vim_append_digit_int(int *value, int digit);
++int vim_append_digit_long(long *value, int digit);
+ /* vim: set ft=c : */

backport-patch-improve-the-error-detection.patch

@@ -0,0 +1,71 @@
+From 3d37231437fc0f761664a7cabc8f7b927b468767 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 5 Nov 2023 17:44:05 +0100
+Subject: [PATCH] runtime(tar): improve the error detection
+
+Do not rely on the fact, that the last line matches warning, error,
+inappropriate or unrecognized to determine if an error occurred. It
+could also be a file, contains such a keyword.
+
+So make the error detection slightly more strict and only assume an
+error occured, if in addition to those 4 keywords, also a space matches
+(this assumes the error message contains a space), which luckily on Unix
+not many files match by default.
+
+The whole if condition seems however slightly dubious.  In case an error
+happened, this would probably already be caught in the previous if
+statement, since this checks for the return code of the tar program.
+
+There may however be tar implementations, that do not set the exit code
+for some kind of error (but print an error message)? But let's keep this
+check for now, not many people have noticed this behaviour until now, so
+it seems to work reasonably well anyhow.
+
+related: #6425
+fixes: #13489
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/autoload/tar.vim | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/runtime/autoload/tar.vim b/runtime/autoload/tar.vim
+index e495e8262a93f..52369a42c1c1b 100644
+--- a/runtime/autoload/tar.vim
++++ b/runtime/autoload/tar.vim
+@@ -1,7 +1,7 @@
+ " tar.vim: Handles browsing tarfiles
+ "            AUTOLOAD PORTION
+-" Date:		Jan 07, 2020
+-" Version:	32
++" Date:		Nov 05, 2023
++" Version:	32a  (with modifications from the Vim Project)
+ " Maintainer:	Charles E Campbell <NcampObell@SdrPchip.AorgM-NOSPAM>
+ " License:	Vim License  (see vim's :help license)
+ "
+@@ -22,7 +22,7 @@
+ if &cp || exists("g:loaded_tar")
+  finish
+ endif
+-let g:loaded_tar= "v32"
++let g:loaded_tar= "v32a"
+ if v:version < 702
+  echohl WarningMsg
+  echo "***warning*** this version of tar needs vim 7.2"
+@@ -208,7 +208,16 @@ fun! tar#Browse(tarfile)
+ "   call Dret("tar#Browse : a:tarfile<".a:tarfile.">")
+    return
+   endif
+-  if line("$") == curlast || ( line("$") == (curlast + 1) && getline("$") =~# '\c\%(warning\|error\|inappropriate\|unrecognized\)')
++  " If there was an error message, the last line probably matches some keywords but
++  " should also contain whitespace for readability. Make sure not to match a
++  " filename that contains the keyword (error/warning/unrecognized/inappropriate, etc)
++  "
++  " FIXME:is this actually necessary? In case of an error, we should probably
++  "       have noticed in the if statement above since tar should have exited
++  "       with a non-zero exit code.
++  if line("$") == curlast || ( line("$") == (curlast + 1) &&
++        \ getline("$") =~# '\c\<\%(warning\|error\|inappropriate\|unrecognized\)\>' &&
++        \ getline("$") =~  '\s' )
+    redraw!
+    echohl WarningMsg | echo "***warning*** (tar#Browse) ".a:tarfile." doesn't appear to be a tar file" | echohl None
+    keepj sil! %d

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        18
+Release:        23
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -107,6 +107,18 @@ Patch6077:      backport-CVE-2023-4750.patch
 Patch6078:      backport-CVE-2023-4752.patch
 Patch6079:      backport-CVE-2023-4781.patch
 Patch6080:      backport-CVE-2023-5344.patch
+Patch6081:      backport-CVE-2023-5441.patch
+Patch6082:      backport-CVE-2023-5535.patch
+Patch6083:      backport-CVE-2023-46246.patch
+Patch6084:      backport-patch-improve-the-error-detection.patch
+patch6085:      backport-CVE-2023-48231.patch
+patch6086:      backport-CVE-2023-48233.patch
+patch6087:      backport-CVE-2023-48234.patch
+patch6088:      backport-CVE-2023-48235.patch
+patch6089:      backport-CVE-2023-48236.patch
+patch6090:      backport-CVE-2023-48237.patch
+patch6091:      backport-patch-9.0.2114-overflow-detection-not-accurate-when-adding-digits.patch
+Patch6092:      backport-CVE-2023-48706.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      vim-Add-sw64-architecture.patch
@@ -517,6 +529,36 @@ LANG=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Nov 28 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-23
+- Type:CVE
+- ID:CVE-2023-48706
+- SUG:NA
+- DESC:fix CVE-2023-48706
+
+* Wed Nov 22 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-22
+- Type:CVE
+- ID:CVE-2023-48231 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237
+- SUG:NA
+- DESC:fix CVE-2023-48231 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237
+
+* Mon Nov 06 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-21
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix garbled characters display with keywords of filename
+
+* Wed Nov 01 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-20
+- Type:CVE
+- ID:CVE-2023-46246
+- SUG:NA
+- DESC:fix CVE-2023-46246
+
+* Mon Oct 16 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-19
+- Type:CVE
+- ID:CVE-2023-5441 CVE-2023-5535
+- SUG:NA
+- DESC:fix CVE-2023-5441 CVE-2023-5535
+
 * Sun Oct 08 2023 wangjiang <wangjiang37@h-partners.com> - 2:9.0-18
 - Type:CVE
 - ID:CVE-2023-5344