vim: fix CVE-2021-3796, CVE-2021-3872, and CVE-2021-3875

Backport patches from upstream to fix these CVEs. (From OE-Core rev: b493eb4f9a6bb75a2f01a53b6c70762845bf79f9) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2021-11-09 23:13:07 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-10 19:27:28 +0000
commit: ce534e8e16f0d880aeae6477e57d1b7b86833a35 (patch)
tree: 6b1091b3da055c9302a5290999df201311c65eea /meta/recipes-support/vim/files
parent: 47b01a4ef31a9b3f27c968ff1ff564a8a83fa7ed (diff)
download: poky-ce534e8e16f0d880aeae6477e57d1b7b86833a35.tar.gz
4 files changed, 338 insertions, 0 deletions
diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
new file mode 100644
index 0000000000..ecfae0301e
--- /dev/null
+++ b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -0,0 +1,83 @@
+CVE: CVE-2021-3796
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 11 Sep 2021 21:14:20 +0200
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+Problem:    Using freed memory when replacing. (Dhiraj Mishra)
+Solution:   Get the line pointer after calling ins_copychar().
+---
+ src/normal.c              | 10 +++++++---
+ src/testdir/test_edit.vim | 14 ++++++++++++++
+ src/version.c             |  2 ++
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..d6333b948 100644
+--- a/src/normal.c
+++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+            {
+                /*
+                 * Get ptr again, because u_save and/or showmatch() will have
+-                * released the line.  At the same time we let know that the
+-                * line will be changed.
+                * released the line.  This may also happen in ins_copychar().
+                * At the same time we let know that the line will be changed.
+                 */
+-               ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+                {
+                  int c = ins_copychar(curwin->w_cursor.lnum
+                                           + (cap->nchar == Ctrl_Y ? -1 : 1));
+
+                 ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                  if (c != NUL)
+                    ptr[curwin->w_cursor.col] = c;
+                }
+                else
+               {
+                   ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                    ptr[curwin->w_cursor.col] = cap->nchar;
+               }
+                if (p_sm && msg_silent == 0)
+                    showmatch(cap->nchar);
+                ++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 4e29e7fe1..f94e6c181 100644
+--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
+@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys()
+   bwipe!
+   set esckeys
+ endfunc
+
+" Test for getting the character of the line below after "p"
+func Test_edit_put_CTRL_E()
+  set encoding=latin1
+  new
+  let @" = ''
+  sil! norm orggRx
+  sil! norm pr
+  call assert_equal(['r', 'r'], getline(1, 2))
+  bwipe!
+  set encoding=utf-8
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 85bdfc601..1046993d6 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3428,
+ /**/
+     3409,
+ /**/
diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
new file mode 100644
index 0000000000..576664f436
--- /dev/null
+++ b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
@@ -0,0 +1,86 @@
+CVE: CVE-2021-3872
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Oct 2021 18:39:28 +0100
+Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
+ long
+Problem:    Illegal memory access if buffer name is very long.
+Solution:   Make sure not to go over the end of the buffer.
+---
+ src/drawscreen.c                | 10 +++++-----
+ src/testdir/test_statusline.vim | 11 +++++++++++
+ src/version.c                   |  2 ++
+ 3 files changed, 18 insertions(+), 5 deletions(-)
+diff --git a/src/drawscreen.c b/src/drawscreen.c
+index 3a88ee979..9acb70552 100644
+--- a/src/drawscreen.c
+++ b/src/drawscreen.c
+@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+            *(p + len++) = ' ';
+        if (bt_help(wp->w_buffer))
+        {
+-           STRCPY(p + len, _("[Help]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+            len += (int)STRLEN(p + len);
+        }
+ #ifdef FEAT_QUICKFIX
+        if (wp->w_p_pvw)
+        {
+-           STRCPY(p + len, _("[Preview]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+            len += (int)STRLEN(p + len);
+        }
+ #endif
+@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
+ #endif
+                )
+        {
+-           STRCPY(p + len, "[+]");
+-           len += 3;
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+           len += (int)STRLEN(p + len);
+        }
+        if (wp->w_buffer->b_p_ro)
+        {
+-           STRCPY(p + len, _("[RO]"));
+           vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+            len += (int)STRLEN(p + len);
+        }
+ 
+diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
+index 1f705b847..91bce1407 100644
+--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
+@@ -393,3 +393,14 @@ func Test_statusline_visual()
+   bwipe! x1
+   bwipe! x2
+ endfunc
+" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
+func Test_statusline_verylong_filename()
+  let fname = repeat('x', 4090)
+  exe "new " .. fname
+  set buftype=help
+  set previewwindow
+  redraw
+  bwipe!
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 1046993d6..2b5de5ccf 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3487,
+ /**/
+     3428,
+ /**/
diff --git a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
new file mode 100644
index 0000000000..045081579c
--- /dev/null
+++ b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
@@ -0,0 +1,72 @@
+CVE: CVE-2021-3875
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 9 Oct 2021 13:58:55 +0100
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+---
+ src/ex_docmd.c              |  6 ++++--
+ src/testdir/test_search.vim | 17 +++++++++++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..fde726477 100644
+--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+                    // When '/' or '?' follows another address, start from
+                    // there.
+-                   if (lnum != MAXLNUM)
+-                       curwin->w_cursor.lnum = lnum;
+                   if (lnum > 0 && lnum != MAXLNUM)
+                       curwin->w_cursor.lnum =
+                               lnum > curbuf->b_ml.ml_line_count
+                                          ? curbuf->b_ml.ml_line_count : lnum;
+ 
+                    // Start a forward search at the end of the line (unless
+                    // before the first line).
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 187671305..e142c3547 100644
+--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
+@@ -1366,3 +1366,20 @@ func Test_searchdecl()
+ 
+   bwipe!
+ endfunc
+
+func Test_search_with_invalid_range()
+  new
+  let lines =<< trim END
+    /\%.v
+    5/
+    c
+  END
+  call writefile(lines, 'Xrangesearch')
+  source Xrangesearch
+
+  bwipe!
+  call delete('Xrangesearch')
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2b5de5ccf..092864bbb 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3489,
+ /**/
+     3487,
+ /**/
diff --git a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
new file mode 100644
index 0000000000..7184b37cad
--- /dev/null
+++ b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
@@ -0,0 +1,97 @@
+CVE: CVE-2021-3903
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 25 Oct 2021 17:07:04 +0100
+Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
+ valid screen
+Problem:    Invalid memory access when scrolling without a valid screen.
+Solution:   Do not set VALID_BOTLINE in w_valid.
+---
+ src/move.c                  |  1 -
+ src/testdir/test_normal.vim | 23 ++++++++++++++++++++---
+ src/version.c               |  2 ++
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+diff --git a/src/move.c b/src/move.c
+index 8e53d8bcb..10165ef4d 100644
+--- a/src/move.c
+++ b/src/move.c
+@@ -198,7 +198,6 @@ update_topline(void)
+     {
+        curwin->w_topline = curwin->w_cursor.lnum;
+        curwin->w_botline = curwin->w_topline;
+-       curwin->w_valid |= VALID_BOTLINE|VALID_BOTLINE_AP;
+        curwin->w_scbind_pos = 1;
+        return;
+     }
+diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
+index d45cf4159..ca87928f5 100644
+--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
+@@ -33,14 +33,14 @@ func CountSpaces(type, ...)
+   else
+     silent exe "normal! `[v`]y"
+   endif
+-  let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
+  let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
+   let &selection = sel_save
+   let @@ = reg_save
+ endfunc
+ 
+ func OpfuncDummy(type, ...)
+   " for testing operatorfunc
+-  let g:opt=&linebreak
+  let g:opt = &linebreak
+ 
+   if a:0  " Invoked from Visual mode, use gv command.
+     silent exe "normal! gvy"
+@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...)
+   endif
+   " Create a new dummy window
+   new
+-  let g:bufnr=bufnr('%')
+  let g:bufnr = bufnr('%')
+ endfunc
+ 
+ fun! Test_normal00_optrans()
+@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2()
+   bw!
+ endfunc
+ 
+
+func Test_scroll_in_ex_mode()
+  " This was using invalid memory because w_botline was invalid.
+  let lines =<< trim END
+      diffsplit
+      norm os00(
+      call writefile(['done'], 'Xdone')
+      qa!
+  END
+  call writefile(lines, 'Xscript')
+  call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
+  call assert_equal(['done'], readfile('Xdone'))
+
+  call delete('Xscript')
+  call delete('Xdone')
+endfunc
+
+ func Test_normal18_z_fold()
+   " basic tests for foldopen/folddelete
+   if !has("folding")
+diff --git a/src/version.c b/src/version.c
+index 092864bbb..a9e8be0e7 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    3564,
+ /**/
+     3489,
+ /**/
author	Ross Burton <ross@burtonini.com>	2021-11-09 23:13:07 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-10 19:27:28 +0000
commit	ce534e8e16f0d880aeae6477e57d1b7b86833a35 (patch)
tree	6b1091b3da055c9302a5290999df201311c65eea /meta/recipes-support/vim/files
parent	47b01a4ef31a9b3f27c968ff1ff564a8a83fa7ed (diff)
download	poky-ce534e8e16f0d880aeae6477e57d1b7b86833a35.tar.gz

diff --git a/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch new file mode 100644 index 0000000000..ecfae0301e --- /dev/null +++ b/meta/recipes-support/vim/files/0002-patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -0,0 +1,83 @@
	1	CVE: CVE-2021-3796
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@arm.com>
	4
	5	From 1160e5f74b229336502fc376416f21108d36cfc2 Mon Sep 17 00:00:00 2001
	6	From: Bram Moolenaar <Bram@vim.org>
	7	Date: Sat, 11 Sep 2021 21:14:20 +0200
	8	Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
	9
	10	Problem: Using freed memory when replacing. (Dhiraj Mishra)
	11	Solution: Get the line pointer after calling ins_copychar().
	12	---
	13	src/normal.c \| 10 +++++++---
	14	src/testdir/test_edit.vim \| 14 ++++++++++++++
	15	src/version.c \| 2 ++
	16	3 files changed, 23 insertions(+), 3 deletions(-)
	17
	18	diff --git a/src/normal.c b/src/normal.c
	19	index c4963e621..d6333b948 100644
	20	--- a/src/normal.c
	21	+++ b/src/normal.c
	22	@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
	23	{
	24	/*
	25	* Get ptr again, because u_save and/or showmatch() will have
	26	- * released the line. At the same time we let know that the
	27	- * line will be changed.
	28	+ * released the line. This may also happen in ins_copychar().
	29	+ * At the same time we let know that the line will be changed.
	30	*/
	31	- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
	32	if (cap->nchar == Ctrl_E \|\| cap->nchar == Ctrl_Y)
	33	{
	34	int c = ins_copychar(curwin->w_cursor.lnum
	35	+ (cap->nchar == Ctrl_Y ? -1 : 1));
	36	+
	37	+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
	38	if (c != NUL)
	39	ptr[curwin->w_cursor.col] = c;
	40	}
	41	else
	42	+ {
	43	+ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
	44	ptr[curwin->w_cursor.col] = cap->nchar;
	45	+ }
	46	if (p_sm && msg_silent == 0)
	47	showmatch(cap->nchar);
	48	++curwin->w_cursor.col;
	49	diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
	50	index 4e29e7fe1..f94e6c181 100644
	51	--- a/src/testdir/test_edit.vim
	52	+++ b/src/testdir/test_edit.vim
	53	@@ -1519,3 +1519,17 @@ func Test_edit_noesckeys()
	54	bwipe!
	55	set esckeys
	56	endfunc
	57	+
	58	+" Test for getting the character of the line below after "p"
	59	+func Test_edit_put_CTRL_E()
	60	+ set encoding=latin1
	61	+ new
	62	+ let @" = ''
	63	+ sil! norm orggRx
	64	+ sil! norm pr
	65	+ call assert_equal(['r', 'r'], getline(1, 2))
	66	+ bwipe!
	67	+ set encoding=utf-8
	68	+endfunc
	69	+
	70	+" vim: shiftwidth=2 sts=2 expandtab
	71	diff --git a/src/version.c b/src/version.c
	72	index 85bdfc601..1046993d6 100644
	73	--- a/src/version.c
	74	+++ b/src/version.c
	75	@@ -742,6 +742,8 @@ static char *(features[]) =
	76
	77	static int included_patches[] =
	78	{ /* Add new patch number below this line */
	79	+/**/
	80	+ 3428,
	81	/**/
	82	3409,
	83	/**/


diff --git a/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch new file mode 100644 index 0000000000..576664f436 --- /dev/null +++ b/meta/recipes-support/vim/files/0003-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
@@ -0,0 +1,86 @@
	1	CVE: CVE-2021-3872
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@arm.com>
	4
	5	From 61629ea24a2fff1f89c37479d3fb52f17c3480fc Mon Sep 17 00:00:00 2001
	6	From: Bram Moolenaar <Bram@vim.org>
	7	Date: Fri, 8 Oct 2021 18:39:28 +0100
	8	Subject: [PATCH] patch 8.2.3487: illegal memory access if buffer name is very
	9	long
	10
	11	Problem: Illegal memory access if buffer name is very long.
	12	Solution: Make sure not to go over the end of the buffer.
	13	---
	14	src/drawscreen.c \| 10 +++++-----
	15	src/testdir/test_statusline.vim \| 11 +++++++++++
	16	src/version.c \| 2 ++
	17	3 files changed, 18 insertions(+), 5 deletions(-)
	18
	19	diff --git a/src/drawscreen.c b/src/drawscreen.c
	20	index 3a88ee979..9acb70552 100644
	21	--- a/src/drawscreen.c
	22	+++ b/src/drawscreen.c
	23	@@ -446,13 +446,13 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
	24	*(p + len++) = ' ';
	25	if (bt_help(wp->w_buffer))
	26	{
	27	- STRCPY(p + len, _("[Help]"));
	28	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
	29	len += (int)STRLEN(p + len);
	30	}
	31	#ifdef FEAT_QUICKFIX
	32	if (wp->w_p_pvw)
	33	{
	34	- STRCPY(p + len, _("[Preview]"));
	35	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
	36	len += (int)STRLEN(p + len);
	37	}
	38	#endif
	39	@@ -462,12 +462,12 @@ win_redr_status(win_T *wp, int ignore_pum UNUSED)
	40	#endif
	41	)
	42	{
	43	- STRCPY(p + len, "[+]");
	44	- len += 3;
	45	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
	46	+ len += (int)STRLEN(p + len);
	47	}
	48	if (wp->w_buffer->b_p_ro)
	49	{
	50	- STRCPY(p + len, _("[RO]"));
	51	+ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
	52	len += (int)STRLEN(p + len);
	53	}
	54
	55	diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
	56	index 1f705b847..91bce1407 100644
	57	--- a/src/testdir/test_statusline.vim
	58	+++ b/src/testdir/test_statusline.vim
	59	@@ -393,3 +393,14 @@ func Test_statusline_visual()
	60	bwipe! x1
	61	bwipe! x2
	62	endfunc
	63	+" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
	64	+func Test_statusline_verylong_filename()
	65	+ let fname = repeat('x', 4090)
	66	+ exe "new " .. fname
	67	+ set buftype=help
	68	+ set previewwindow
	69	+ redraw
	70	+ bwipe!
	71	+endfunc
	72	+
	73	+" vim: shiftwidth=2 sts=2 expandtab
	74	diff --git a/src/version.c b/src/version.c
	75	index 1046993d6..2b5de5ccf 100644
	76	--- a/src/version.c
	77	+++ b/src/version.c
	78	@@ -742,6 +742,8 @@ static char *(features[]) =
	79
	80	static int included_patches[] =
	81	{ /* Add new patch number below this line */
	82	+/**/
	83	+ 3487,
	84	/**/
	85	3428,
	86	/**/


diff --git a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch new file mode 100644 index 0000000000..045081579c --- /dev/null +++ b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
@@ -0,0 +1,72 @@
	1	CVE: CVE-2021-3875
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@arm.com>
	4
	5	From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001
	6	From: Bram Moolenaar <Bram@vim.org>
	7	Date: Sat, 9 Oct 2021 13:58:55 +0100
	8	Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
	9
	10	Problem: ml_get error after search with range.
	11	Solution: Limit the line number to the buffer line count.
	12	---
	13	src/ex_docmd.c \| 6 ++++--
	14	src/testdir/test_search.vim \| 17 +++++++++++++++++
	15	src/version.c \| 2 ++
	16	3 files changed, 23 insertions(+), 2 deletions(-)
	17
	18	diff --git a/src/ex_docmd.c b/src/ex_docmd.c
	19	index fb07450f8..fde726477 100644
	20	--- a/src/ex_docmd.c
	21	+++ b/src/ex_docmd.c
	22	@@ -3586,8 +3586,10 @@ get_address(
	23
	24	// When '/' or '?' follows another address, start from
	25	// there.
	26	- if (lnum != MAXLNUM)
	27	- curwin->w_cursor.lnum = lnum;
	28	+ if (lnum > 0 && lnum != MAXLNUM)
	29	+ curwin->w_cursor.lnum =
	30	+ lnum > curbuf->b_ml.ml_line_count
	31	+ ? curbuf->b_ml.ml_line_count : lnum;
	32
	33	// Start a forward search at the end of the line (unless
	34	// before the first line).
	35	diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
	36	index 187671305..e142c3547 100644
	37	--- a/src/testdir/test_search.vim
	38	+++ b/src/testdir/test_search.vim
	39	@@ -1366,3 +1366,20 @@ func Test_searchdecl()
	40
	41	bwipe!
	42	endfunc
	43	+
	44	+func Test_search_with_invalid_range()
	45	+ new
	46	+ let lines =<< trim END
	47	+ /\%.v
	48	+ 5/
	49	+ c
	50	+ END
	51	+ call writefile(lines, 'Xrangesearch')
	52	+ source Xrangesearch
	53	+
	54	+ bwipe!
	55	+ call delete('Xrangesearch')
	56	+endfunc
	57	+
	58	+
	59	+" vim: shiftwidth=2 sts=2 expandtab
	60	diff --git a/src/version.c b/src/version.c
	61	index 2b5de5ccf..092864bbb 100644
	62	--- a/src/version.c
	63	+++ b/src/version.c
	64	@@ -742,6 +742,8 @@ static char *(features[]) =
	65
	66	static int included_patches[] =
	67	{ /* Add new patch number below this line */
	68	+/**/
	69	+ 3489,
	70	/**/
	71	3487,
	72	/**/


diff --git a/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch new file mode 100644 index 0000000000..7184b37cad --- /dev/null +++ b/meta/recipes-support/vim/files/0005-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
@@ -0,0 +1,97 @@
	1	CVE: CVE-2021-3903
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@arm.com>
	4
	5	From b15919c1fe0f7fc3d98ff5207ed2feb43c59009d Mon Sep 17 00:00:00 2001
	6	From: Bram Moolenaar <Bram@vim.org>
	7	Date: Mon, 25 Oct 2021 17:07:04 +0100
	8	Subject: [PATCH] patch 8.2.3564: invalid memory access when scrolling without
	9	valid screen
	10
	11	Problem: Invalid memory access when scrolling without a valid screen.
	12	Solution: Do not set VALID_BOTLINE in w_valid.
	13	---
	14	src/move.c \| 1 -
	15	src/testdir/test_normal.vim \| 23 ++++++++++++++++++++---
	16	src/version.c \| 2 ++
	17	3 files changed, 22 insertions(+), 4 deletions(-)
	18
	19	diff --git a/src/move.c b/src/move.c
	20	index 8e53d8bcb..10165ef4d 100644
	21	--- a/src/move.c
	22	+++ b/src/move.c
	23	@@ -198,7 +198,6 @@ update_topline(void)
	24	{
	25	curwin->w_topline = curwin->w_cursor.lnum;
	26	curwin->w_botline = curwin->w_topline;
	27	- curwin->w_valid \|= VALID_BOTLINE\|VALID_BOTLINE_AP;
	28	curwin->w_scbind_pos = 1;
	29	return;
	30	}
	31	diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
	32	index d45cf4159..ca87928f5 100644
	33	--- a/src/testdir/test_normal.vim
	34	+++ b/src/testdir/test_normal.vim
	35	@@ -33,14 +33,14 @@ func CountSpaces(type, ...)
	36	else
	37	silent exe "normal! `[v`]y"
	38	endif
	39	- let g:a=strlen(substitute(@@, '[^ ]', '', 'g'))
	40	+ let g:a = strlen(substitute(@@, '[^ ]', '', 'g'))
	41	let &selection = sel_save
	42	let @@ = reg_save
	43	endfunc
	44
	45	func OpfuncDummy(type, ...)
	46	" for testing operatorfunc
	47	- let g:opt=&linebreak
	48	+ let g:opt = &linebreak
	49
	50	if a:0 " Invoked from Visual mode, use gv command.
	51	silent exe "normal! gvy"
	52	@@ -51,7 +51,7 @@ func OpfuncDummy(type, ...)
	53	endif
	54	" Create a new dummy window
	55	new
	56	- let g:bufnr=bufnr('%')
	57	+ let g:bufnr = bufnr('%')
	58	endfunc
	59
	60	fun! Test_normal00_optrans()
	61	@@ -718,6 +718,23 @@ func Test_normal17_z_scroll_hor2()
	62	bw!
	63	endfunc
	64
	65	+
	66	+func Test_scroll_in_ex_mode()
	67	+ " This was using invalid memory because w_botline was invalid.
	68	+ let lines =<< trim END
	69	+ diffsplit
	70	+ norm os00(
	71	+ call writefile(['done'], 'Xdone')
	72	+ qa!
	73	+ END
	74	+ call writefile(lines, 'Xscript')
	75	+ call assert_equal(1, RunVim([], [], '--clean -X -Z -e -s -S Xscript'))
	76	+ call assert_equal(['done'], readfile('Xdone'))
	77	+
	78	+ call delete('Xscript')
	79	+ call delete('Xdone')
	80	+endfunc
	81	+
	82	func Test_normal18_z_fold()
	83	" basic tests for foldopen/folddelete
	84	if !has("folding")
	85	diff --git a/src/version.c b/src/version.c
	86	index 092864bbb..a9e8be0e7 100644
	87	--- a/src/version.c
	88	+++ b/src/version.c
	89	@@ -742,6 +742,8 @@ static char *(features[]) =
	90
	91	static int included_patches[] =
	92	{ /* Add new patch number below this line */
	93	+/**/
	94	+ 3564,
	95	/**/
	96	3489,
	97	/**/