From 50272ace522dd444f706254173a236162d50e5b4 Mon Sep 17 00:00:00 2001
From: shixuantong <1726671442@qq.com>
Date: Mon, 16 May 2022 17:49:38 +0800
Subject: [PATCH] fix CVE-2022-1154

---
 backport-CVE-2022-1154.patch | 59 ++++++++++++++++++++++++++++++++++++
 vim.spec                     |  9 +++++-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-1154.patch

diff --git a/backport-CVE-2022-1154.patch b/backport-CVE-2022-1154.patch
new file mode 100644
index 0000000..e4d10c8
--- /dev/null
+++ b/backport-CVE-2022-1154.patch
@@ -0,0 +1,59 @@
+From b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 29 Mar 2022 13:24:58 +0100
+Subject: [PATCH] patch 8.2.4646: using buffer line after it has been freed
+
+Problem:    Using buffer line after it has been freed in old regexp engine.
+Solution:   After getting mark get the line again.
+---
+ src/regexp_bt.c                   | 9 +++++++++
+ src/testdir/test_regexp_latin.vim | 7 +++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/regexp_bt.c b/src/regexp_bt.c
+index e017ba5..ff92576 100644
+--- a/src/regexp_bt.c
++++ b/src/regexp_bt.c
+@@ -3188,8 +3188,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? rex.input - rex.line : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    rex.line = reg_getline(rex.lnum);
++		    rex.input = rex.line + col;
++		}
++
+ 		if (pos == NULL		     // mark doesn't exist
+ 			|| pos->lnum <= 0    // mark isn't set in reg_buf
+ 			|| (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
+index 5b1db5a..a242d91 100644
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -152,10 +152,17 @@ endfunc
+ 
+ func Test_using_mark_position()
+   " this was using freed memory
++  " new engine
+   new
+   norm O0
+   call assert_fails("s/\\%')", 'E486:')
+   bwipe!
++
++  " old engine
++  new
++  norm O0
++  call assert_fails("s/\\%#=1\\%')", 'E486:')
++  bwipe!
+ endfunc
+ 
+ func Test_using_invalid_visual_position()
+-- 
+1.8.3.1
+
diff --git a/vim.spec b/vim.spec
index 4b20bb9..a2bf8c8 100644
--- a/vim.spec
+++ b/vim.spec
@@ -11,7 +11,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        25
+Release:        26
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -83,6 +83,7 @@ Patch6049:      backport-CVE-2022-0729.patch
 Patch6050:      backport-CVE-2022-0685.patch
 Patch6051:      backport-CVE-2022-0943.patch
 Patch6052:      backport-CVE-2022-1616.patch
+Patch6053:      backport-CVE-2022-1154.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 Patch9001:      remove-failed-tests-due-to-patch.patch
@@ -485,6 +486,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Mon May 16 2022 shixuantong <shixuantong@h-partners.com> - 2:8.2-26
+- Type:CVE
+- ID:CVE-2022-1154
+- SUG:NA
+- DESC:fix CVE-2022-1154
+
 * Mon May 09 2022 shangyibin <shangyibin1@h-partners.com> - 2:8.2-25
 - Type:CVE
 - ID:CVE-2022-1616
-- 
Gitee