9 changed files with 24 additions and 165 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,9 @@
+SOURCES/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
+SOURCES/0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
+SOURCES/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
+SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+SOURCES/gvim16.png
+SOURCES/gvim32.png
+SOURCES/gvim48.png
 SOURCES/gvim64.png
 SOURCES/vim-8.2-2637.tar.bz2
--- a/.vim.metadata
+++ b/.vim.metadata
@ -1,2 +1,9 @@
+56aa27d37d3697edb9986a81d3e444352971e03f SOURCES/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
+db80f6cf2350a44d396372e0a22648af5dd555d8 SOURCES/0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch
+09869f7c75a9cabc7f200558e843fb4265a4a8a5 SOURCES/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
+814585e3e1e55d515dc8124e661deb864d2bdb32 SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+a7c81ffd40611b19c125c505699d8a6401f6e022 SOURCES/gvim16.png
+2356345378a9f1ba3c9e9e6508b695611e8f2cfa SOURCES/gvim32.png
+37ad682f67539da7f4d4b7316383115dfe43222d SOURCES/gvim48.png
 c32bd520a1498b71ee9bbcddc7ad05df1565d085 SOURCES/gvim64.png
 8405efdee1d83465651f90edc1173ff69f390aea SOURCES/vim-8.2-2637.tar.bz2
--- a/SOURCES/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
+++ b/SOURCES/0001-patch-8.2.3428-using-freed-memory-when-replacing.patch
@ -1,50 +0,0 @@
-diff -up vim82/src/normal.c.cve-3796 vim82/src/normal.c
--- vim82/src/normal.c.cve-3796	2021-03-22 10:02:42.000000000 +0100
-+++ vim82/src/normal.c	2021-10-15 10:45:21.397258123 +0200
-@@ -5076,19 +5076,23 @@ nv_replace(cmdarg_T *cap)
- 	    {
- 		/*
- 		 * Get ptr again, because u_save and/or showmatch() will have
-		 * released the line.  At the same time we let know that the
-		 * line will be changed.
-+		 * released the line.  This may also happen in ins_copychar().
-+		 * At the same time we let know that the line will be changed.
- 		 */
-		ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
- 		if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
- 		{
- 		  int c = ins_copychar(curwin->w_cursor.lnum
- 					   + (cap->nchar == Ctrl_Y ? -1 : 1));
-+
-+		  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
- 		  if (c != NUL)
- 		    ptr[curwin->w_cursor.col] = c;
- 		}
- 		else
-+		{
-+		    ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
- 		    ptr[curwin->w_cursor.col] = cap->nchar;
-+		}
- 		if (p_sm && msg_silent == 0)
- 		    showmatch(cap->nchar);
- 		++curwin->w_cursor.col;
-diff -up vim82/src/testdir/test_edit.vim.cve-3796 vim82/src/testdir/test_edit.vim
--- vim82/src/testdir/test_edit.vim.cve-3796	2021-10-15 10:45:21.398258115 +0200
-+++ vim82/src/testdir/test_edit.vim	2021-10-15 10:46:22.892764135 +0200
-@@ -1844,4 +1844,16 @@ func Test_read_invalid()
-   set encoding=utf-8
- endfunc
- 
-+" Test for getting the character of the line below after "p"
-+func Test_edit_put_CTRL_E()
-+  set encoding=latin1
-+  new
-+  let @" = ''
-+  sil! norm orggRx
-+  sil! norm pr
-+  call assert_equal(['r', 'r'], getline(1, 2))
-+  bwipe!
-+  set encoding=utf-8
-+endfunc
-+
- " vim: shiftwidth=2 sts=2 expandtab
--- a/SOURCES/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
+++ b/SOURCES/0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
@ -1,75 +0,0 @@
-diff --git a/src/spellsuggest.c b/src/spellsuggest.c
-index 3de9ff2..5462583 100644
--- a/src/spellsuggest.c
-+++ b/src/spellsuggest.c
-@@ -1200,7 +1200,7 @@ suggest_try_change(suginfo_T *su)
- 
- // Check the maximum score, if we go over it we won't try this change.
- #define TRY_DEEPER(su, stack, depth, add) \
-		(stack[depth].ts_score + (add) < su->su_maxscore)
-+       (depth < MAXWLEN - 1 && stack[depth].ts_score + (add) < su->su_maxscore)
- 
- /*
-  * Try finding suggestions by adding/removing/swapping letters.
-@@ -1272,6 +1272,9 @@ suggest_trie_walk(
-     char_u	changename[MAXWLEN][80];
- #endif
-     int		breakcheckcount = 1000;
-+#ifdef FEAT_RELTIME
-+    proftime_T	time_limit;
-+#endif
-     int		compound_ok;
- 
-     // Go through the whole case-fold tree, try changes at each node.
-@@ -1316,6 +1319,11 @@ suggest_trie_walk(
- 	    sp->ts_state = STATE_START;
- 	}
-     }
-+#ifdef FEAT_RELTIME
-+    // The loop may take an indefinite amount of time. Break out after five
-+    // sectonds. TODO: add an option for the time limit.
-+    profile_setlimit(5000, &time_limit);
-+#endif
- 
-     // Loop to find all suggestions.  At each round we either:
-     // - For the current state try one operation, advance "ts_curi",
-@@ -1350,7 +1358,8 @@ suggest_trie_walk(
- 
- 		// At end of a prefix or at start of prefixtree: check for
- 		// following word.
-		if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
-+		if (depth < MAXWLEN - 1
-+			    && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
- 		{
- 		    // Set su->su_badflags to the caps type at this position.
- 		    // Use the caps type until here for the prefix itself.
-@@ -2644,6 +2653,10 @@ suggest_trie_walk(
- 	    {
- 		ui_breakcheck();
- 		breakcheckcount = 1000;
-+#ifdef FEAT_RELTIME
-+		if (profile_passed_limit(&time_limit))
-+		    got_int = TRUE;
-+#endif
- 	    }
- 	}
-     }
-diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
-index a3a9621..35035a2 100644
--- a/src/testdir/test_spell.vim
-+++ b/src/testdir/test_spell.vim
-@@ -768,6 +768,14 @@ func Test_spell_long_word()
-   set nospell
- endfunc
- 
-+func Test_spellsuggest_too_deep()
-+  " This was incrementing "depth" over MAXWLEN.
-+  new
-+  norm s000G00ý000000000000
-+  sil norm ..vzG................vvzG0     v z=
-+  bwipe!
-+endfunc
-+
- func LoadAffAndDic(aff_contents, dic_contents)
-   set enc=latin1
-   set spellfile=
--- a/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+++ b/SOURCES/0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
@ -1,39 +0,0 @@
-diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
--- vim82/src/spellsuggest.c.cve0943	2022-03-28 20:48:07.079197805 +0200
-+++ vim82/src/spellsuggest.c	2022-03-28 20:48:07.101197522 +0200
-@@ -501,6 +501,10 @@ spell_suggest(int count)
- 	    curwin->w_cursor.col = VIsual.col;
- 	++badlen;
- 	end_visual_mode();
-+	// make sure we don't include the NUL at the end of the line
-+	line = ml_get_curline();
-+	if (badlen > STRLEN(line) - curwin->w_cursor.col)
-+	    badlen = STRLEN(line) - curwin->w_cursor.col;
-     }
-     // Find the start of the badly spelled word.
-     else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
-diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
--- vim82/src/testdir/test_spell.vim.cve0943	2022-03-28 20:48:07.102197509 +0200
-+++ vim82/src/testdir/test_spell.vim	2022-03-28 20:49:05.038452974 +0200
-@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
-   delfunc MySuggest3
- endfunc
- 
-+func Test_spellsuggest_visual_end_of_line()
-+  let enc_save = &encoding
-+  set encoding=iso8859
-+
-+  " This was reading beyond the end of the line.
-+  norm R00000000000
-+  sil norm 0
-+  sil! norm i00000)
-+  sil! norm i00000)
-+  call feedkeys("\<CR>")
-+  norm z=
-+
-+  let &encoding = enc_save
-+endfunc
-+
- func Test_spellinfo()
-   new
-   let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')
--- a/SOURCES/gvim16.png
+++ b/SOURCES/gvim16.png
--- a/SOURCES/gvim32.png
+++ b/SOURCES/gvim32.png
--- a/SOURCES/gvim48.png
+++ b/SOURCES/gvim48.png
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@ -136,6 +136,8 @@ Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
 Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 # CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL
 Patch3053:0001-patch-9.0.0339-no-check-if-the-return-value-of-XChan.patch
+# RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
+Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -376,6 +378,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3051 -p1 -b .cve1897
 %patch3052 -p1 -b .cve1927
 %patch3053 -p1 -b .cve47024
+%patch -P 3054 -p1 -b .cve2021-3903

 %build
 cd src
@ -933,6 +936,12 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif

 %changelog
+* Mon Oct 07 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2:8.2.2637-21
+- Rebuilt for MSVSphere 9.5 beta
+
+* Mon Aug 05 2024 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-21
+- RHEL-40602 CVE-2021-3903 vim: heap-based buffer overflow vulnerability
+
 * Thu Feb 09 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-20
 - CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL