!694 [sync] PR-691: fix CVE-2025-22134 CVE-2025-24014

From: @openeuler-sync-bot Reviewed-by: @znzjugod Signed-off-by: @znzjugod
fix CVE-2025-22134 CVE-2025-24014
2025-02-12 06:14:04 +00:00 · 2025-02-12 11:30:29 +08:00 · 2024-12-17 07:49:35 +00:00 · 2024-12-17 10:38:22 +08:00 · 2024-11-19 09:13:52 +00:00 · 2024-11-19 08:48:30 +08:00
12 changed files with 676 additions and 7 deletions
--- a/backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
+++ b/backport-9.0.0581-adding-a-character-for-incsearch-fails-at-end-of-line.patch
@ -11,7 +11,7 @@ Solution:   Only check cursor line number.
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/src/move.c b/src/move.c
-index 6c654ac..4123ca8 100644
+index 1d7bcfb..3760042 100644
 --- a/src/move.c
 +++ b/src/move.c
@@ -652,7 +652,7 @@ cursor_valid(void)
@ -24,5 +24,5 @@ index 6c654ac..4123ca8 100644
     if ((curwin->w_valid & (VALID_WCOL|VALID_WROW)) != (VALID_WCOL|VALID_WROW))
 	curs_columns(TRUE);
 -- 
-2.27.0
+2.33.0

--- a/backport-CVE-2022-2264.patch
+++ b/backport-CVE-2022-2264.patch
@ -12,7 +12,7 @@ Solution:   Adjust the end mark position.
 2 files changed, 14 insertions(+)

 diff --git a/src/register.c b/src/register.c
-index 93860ba..30e2001 100644
+index 87689f7..51c14b8 100644
 --- a/src/register.c
 +++ b/src/register.c
@@ -1918,6 +1918,8 @@ do_put(
@ -25,7 +25,7 @@ index 93860ba..30e2001 100644
 
 	    // may insert some spaces after the new text
 diff --git a/src/testdir/test_put.vim b/src/testdir/test_put.vim
-index aa5aa2b..66438bd 100644
+index 6df04cf..c8d306a 100644
 --- a/src/testdir/test_put.vim
 +++ b/src/testdir/test_put.vim
@@ -219,5 +219,17 @@ func Test_put_empty_register()
--- a/backport-CVE-2024-43802.patch
+++ b/backport-CVE-2024-43802.patch
@ -0,0 +1,45 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
+++ b/src/getchar.c
+@@ -437,9 +437,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
+	// remove mapped characters at the start only,
+	// but only when enough space left in typebuf
+	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+	{
+	    typebuf.tb_off = MAXMAPLEN;
+	    typebuf.tb_len = 0;
+	}
+	else
+	{
+	    typebuf.tb_off += typebuf.tb_maplen;
+	    typebuf.tb_len -= typebuf.tb_maplen;
+	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;
--- a/backport-CVE-2025-22134.patch
+++ b/backport-CVE-2025-22134.patch
@ -0,0 +1,126 @@
+From c9a1e257f1630a0866447e53a564f7ff96a80ead Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sat, 11 Jan 2025 15:25:00 +0100
+Subject: [PATCH] patch 9.1.1003: [security]: heap-buffer-overflow with visual
+ mode
+
+Problem:  [security]: heap-buffer-overflow with visual mode when
+          using :all, causing Vim trying to access beyond end-of-line
+          (gandalf)
+Solution: Reset visual mode on :all, validate position in gchar_pos()
+          and charwise_block_prep()
+
+This fixes CVE-2025-22134
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
+
+Co-authored-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/arglist.c               |  4 ++++
+ src/misc1.c                 |  4 ++++
+ src/testdir/test_visual.vim | 26 ++++++++++++++++++++++----
+ 3 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/src/arglist.c b/src/arglist.c
+index 8825c8e252ccc5..4eec079df438a3 100644
+--- a/src/arglist.c
+++ b/src/arglist.c
+@@ -979,6 +979,10 @@ do_arg_all(
+     need_mouse_correct = TRUE;
+ #endif
+ 
+    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
+    // switching to another buffer.
+    reset_VIsual_and_resel();
+
+     // Try closing all windows that are not in the argument list.
+     // Also close windows that are not full width;
+     // When 'hidden' or "forceit" set the buffer becomes hidden.
+diff --git a/src/misc1.c b/src/misc1.c
+index 90cf914742b115..142a6161ea6c8a 100644
+--- a/src/misc1.c
+++ b/src/misc1.c
+@@ -514,11 +514,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last)
+ gchar_pos(pos_T *pos)
+ {
+     char_u	*ptr;
+    int		ptrlen;
+ 
+     // When searching columns is sometimes put at the end of a line.
+     if (pos->col == MAXCOL)
+ 	return NUL;
+    ptrlen = STRLEN(ml_get(pos->lnum));
+     ptr = ml_get_pos(pos);
+    if (pos->col > ptrlen)
+	return NUL;
+     if (has_mbyte)
+ 	return (*mb_ptr2char)(ptr);
+     return (int)*ptr;
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0be73ecc1342b9..03335a464d62f3 100644
+--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
+@@ -469,7 +469,7 @@ func Test_Visual_Block()
+ 	      \ "\t{",
+ 	      \ "\t}"], getline(1, '$'))
+ 
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for 'p'ut in visual block mode
+@@ -1079,7 +1079,7 @@ func Test_star_register()
+ 
+   delmarks < >
+   call assert_fails('*yank', 'E20:')
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for changing text in visual mode with 'exclusive' selection
+@@ -1095,7 +1095,7 @@ func Test_exclusive_selection()
+   call assert_equal('l      one', getline(1))
+   set virtualedit&
+   set selection&
+-  close!
+  bw!
+ endfunc
+ 
+ " Test for starting linewise visual with a count.
+@@ -1152,7 +1152,7 @@ func Test_visual_inner_block()
+   8,9d
+   call cursor(5, 1)
+   call assert_beeps('normal ViBiB')
+-  close!
+  bw!
+ endfunc
+ 
+ func Test_visual_put_in_block()
+@@ -1513,4 +1513,22 @@ func Test_heap_buffer_overflow()
+   set updatecount&
+ endfunc
+ 
+" the following caused a Heap-Overflow, because Vim was accessing outside of a
+" line end
+func Test_visual_pos_buffer_heap_overflow()
+  set virtualedit=all
+  args Xa Xb
+  all
+  call setline(1, ['', '', ''])
+  call cursor(3, 1)
+  wincmd w
+  call setline(1, 'foobar')
+  normal! $lv0
+  all
+  call setreg('"', 'baz')
+  normal! [P
+  set virtualedit=
+  bw! Xa Xb
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.43.0
+
--- a/backport-CVE-2025-24014.patch
+++ b/backport-CVE-2025-24014.patch
@ -0,0 +1,42 @@
+From 9d1bed5eccdbb46a26b8a484f5e9163c40e63919 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 20 Jan 2025 22:55:57 +0100
+Subject: [PATCH] patch 9.1.1043: [security]: segfault in win_line()
+
+Problem:  [security]: segfault in win_line()
+          (fizz-is-on-the-way)
+Solution: Check that ScreenLines is not NULL
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/gui.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/gui.c b/src/gui.c
+index 8e7b079a5a4ea4..86c40de632aa1e 100644
+--- a/src/gui.c
+++ b/src/gui.c
+@@ -4510,13 +4510,15 @@ gui_do_scroll(void)
+     /*
+      * Don't call updateWindow() when nothing has changed (it will overwrite
+      * the status line!).
+     *
+     * Check for ScreenLines, because in ex-mode, we don't have a valid display.
+      */
+-    if (old_topline != wp->w_topline
+    if (ScreenLines != NULL && (old_topline != wp->w_topline
+ 	    || wp->w_redr_type != 0
+ #ifdef FEAT_DIFF
+ 	    || old_topfill != wp->w_topfill
+ #endif
+-	    )
+	    ))
+     {
+ 	int type = VALID;
+ 
+-- 
+2.43.0
+
--- a/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+++ b/backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
@ -0,0 +1,93 @@
+From 4ea37f88e8345ca830271636a2e197a1a46114d2 Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Wed, 17 Jan 2024 20:52:13 +0100
+Subject: [PATCH] patch 9.1.0038: Unnecessary loop in getvcol()
+
+Problem:  Unnecessary loop in getvcol().
+Solution: Compare next char position with pos->col directly.
+          (zeertzjq)
+
+The loop below already handles end of line before checking for posptr,
+and the next char is after pos->col whether pos->col is at the start or
+in the middle of the char in question, so neither the NUL check nor the
+mb_head_off() are needed when comparing the position of the next char
+with pos->col directly.
+
+closes: #13878
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/charset.c | 29 ++++++-----------------------
+ 1 file changed, 6 insertions(+), 23 deletions(-)
+
+diff --git a/src/charset.c b/src/charset.c
+index 3ea2ecb8e216c2..eef2e8983c280e 100644
+--- a/src/charset.c
+++ b/src/charset.c
+@@ -1178,7 +1178,6 @@ getvcol(
+ {
+     colnr_T	vcol;
+     char_u	*ptr;		// points to current char
+-    char_u	*posptr;	// points to char at pos->col
+     char_u	*line;		// start of the line
+     int		incr;
+     int		head;
+@@ -1190,24 +1189,6 @@ getvcol(
+ 
+     vcol = 0;
+     line = ptr = ml_get_buf(wp->w_buffer, pos->lnum, FALSE);
+-    if (pos->col == MAXCOL)
+-	posptr = NULL;  // continue until the NUL
+-    else
+-    {
+-	colnr_T i;
+-
+-	// In a few cases the position can be beyond the end of the line.
+-	for (i = 0; i < pos->col; ++i)
+-	    if (ptr[i] == NUL)
+-	    {
+-		pos->col = i;
+-		break;
+-	    }
+-	posptr = ptr + pos->col;
+-	if (has_mbyte)
+-	    // always start on the first byte
+-	    posptr -= (*mb_head_off)(line, posptr);
+-    }
+ 
+     /*
+      * This function is used very often, do some speed optimizations.
+@@ -1263,11 +1244,12 @@ getvcol(
+ 		    incr = g_chartab[c] & CT_CELL_MASK;
+ 	    }
+ 
+-	    if (posptr != NULL && ptr >= posptr) // character at pos->col
+	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
+	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    vcol += incr;
+-	    MB_PTR_ADV(ptr);
+	    ptr = next_ptr;
+ 	}
+     }
+     else
+@@ -1284,11 +1266,12 @@ getvcol(
+ 		break;
+ 	    }
+ 
+-	    if (posptr != NULL && ptr >= posptr) // character at pos->col
+	    char_u *next_ptr = ptr + (*mb_ptr2len)(ptr);
+	    if (next_ptr - line > pos->col) // character at pos->col
+ 		break;
+ 
+ 	    vcol += incr;
+-	    MB_PTR_ADV(ptr);
+	    ptr = next_ptr;
+ 	}
+     }
+     if (start != NULL)
+-- 
+2.43.0
+
--- a/backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
+++ b/backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
@ -0,0 +1,58 @@
+From 59149f02692804267e7cc0665d0334f6ff4675be Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Sat, 14 Sep 2024 10:40:29 +0200
+Subject: [PATCH] patch 9.1.0730: Crash with cursor-screenline and narrow
+ window
+
+Problem:  Crash with cursor-screenline and narrow window
+          (elig0n)
+Solution: Don't set right_col when width2 is 0 (zeertzjq).
+
+fixes: #15677
+closes: #15678
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/drawline.c                  |  2 +-
+ src/testdir/test_cursorline.vim | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/drawline.c b/src/drawline.c
+index b627192a4ee0f..fd5d56b43e508 100644
+--- a/src/drawline.c
+++ b/src/drawline.c
+@@ -61,7 +61,7 @@ margin_columns_win(win_T *wp, int *left_col, int *right_col)
+     *left_col = 0;
+     *right_col = width1;
+ 
+-    if (wp->w_virtcol >= (colnr_T)width1)
+    if (wp->w_virtcol >= (colnr_T)width1 && width2 > 0)
+ 	*right_col = width1 + ((wp->w_virtcol - width1) / width2 + 1) * width2;
+     if (wp->w_virtcol >= (colnr_T)width1 && width2 > 0)
+ 	*left_col = (wp->w_virtcol - width1) / width2 * width2 + width1;
+diff --git a/src/testdir/test_cursorline.vim b/src/testdir/test_cursorline.vim
+index bdde670d207a5..d258111ae4de1 100644
+--- a/src/testdir/test_cursorline.vim
+++ b/src/testdir/test_cursorline.vim
+@@ -293,6 +293,17 @@ func Test_cursorline_screenline_update()
+   call delete('Xcul_screenline')
+ endfunc
+ 
+func Test_cursorline_screenline_zero_width()
+  CheckOption foldcolumn
+
+  set cursorline culopt=screenline winminwidth=1 foldcolumn=1
+  " This used to crash Vim
+  1vnew | redraw
+
+  bwipe!
+  set cursorline& culopt& winminwidth& foldcolumn&
+endfunc
+
+ func Test_cursorline_cursorbind_horizontal_scroll()
+   CheckScreendump
+ 
+-- 
+2.43.0
+
--- a/backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
+++ b/backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
@ -0,0 +1,103 @@
+From dff3c9c1a789351a741b6a430862c8b2a0eff383 Mon Sep 17 00:00:00 2001
+From: 826814741_6 <44406129+826814741-6@users.noreply.github.com>
+Date: Tue, 10 Dec 2024 17:15:14 +0100
+Subject: [PATCH] patch 9.1.0918: tiny Vim crashes with fuzzy buffer completion
+
+Problem:  tiny Vim crashes with fuzzy buffer completion
+Solution: Adjust #ifdefs in ExpandBufnames() (826814741_6)
+
+closes: #16200
+
+Signed-off-by: h-east <h.east.727@gmail.com>
+Signed-off-by: 826814741_6 <44406129+826814741-6@users.noreply.github.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/buffer.c             |  4 ++--
+ src/testdir/Make_all.mak |  6 ++++--
+ src/testdir/test29.in    | 14 ++++++++++++++
+ src/testdir/test29.ok    |  1 +
+ 4 files changed, 21 insertions(+), 4 deletions(-)
+ create mode 100644 src/testdir/test29.in
+ create mode 100644 src/testdir/test29.ok
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 3b05f25d7f705b..147d20dc78f0ff 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -2902,9 +2902,9 @@ ExpandBufnames(
+     if (!fuzzy && patc != pat)
+ 	vim_free(patc);
+ 
+-#ifdef FEAT_VIMINFO
+     if (!fuzzy)
+     {
+#ifdef FEAT_VIMINFO
+ 	if (matches != NULL)
+ 	{
+ 	    int i;
+@@ -2924,13 +2924,13 @@ ExpandBufnames(
+ 	    }
+ 	    vim_free(matches);
+ 	}
+#endif
+     }
+     else
+     {
+ 	if (fuzzymatches_to_strmatches(fuzmatch, file, count, FALSE) == FAIL)
+ 	    return FAIL;
+     }
+-#endif
+ 
+     *num_file = count;
+     return (count == 0 ? FAIL : OK);
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index bdf058c1ec43a1..7285354838805a 100644
+--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
+@@ -16,7 +16,8 @@ SCRIPTS_TINY = \
+ 	test24 \
+ 	test25 \
+ 	test26 \
+-	test27
+	test27 \
+	test29
+ 
+ SCRIPTS_TINY_OUT = \
+ 	test20.out \
+@@ -26,7 +27,8 @@ SCRIPTS_TINY_OUT = \
+ 	test24.out \
+ 	test25.out \
+ 	test26.out \
+-	test27.out
+	test27.out \
+	test29.out
+ 
+ # Tests for Vim9 script.
+ TEST_VIM9 = \
+diff --git a/src/testdir/test29.in b/src/testdir/test29.in
+new file mode 100644
+index 00000000000000..047803c60ff7bd
+--- /dev/null
+++ b/src/testdir/test29.in
+@@ -0,0 +1,14 @@
+Test for buffer name completion when 'wildoptions' contains "fuzzy"
+(Confirm that Vim does not crash)
+
+STARTTEST
+:set wildoptions=fuzzy
+:new buf_a
+:b buf_a
+:q!
+:set wildoptions&
+:$w! test.out
+:qa!
+ENDTEST
+
+I'm alive!
+diff --git a/src/testdir/test29.ok b/src/testdir/test29.ok
+new file mode 100644
+index 00000000000000..6a0a7c94510a8e
+--- /dev/null
+++ b/src/testdir/test29.ok
+@@ -0,0 +1 @@
+I'm alive!
--- a/fix-CVE-2024-47814.patch
+++ b/fix-CVE-2024-47814.patch
@ -0,0 +1,118 @@
+From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 8 Oct 2024 09:09:11 +0800
+Subject: [PATCH] fix CVE-2024-47814
+
+Problem:  [security]: use-after-free when closing a buffer
+Solution: When splitting the window and editing a new buffer,
+          check whether the newly to be edited buffer has been marked
+          for deletion and abort in this case
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+---
+ src/buffer.c                 |  7 +++++++
+ src/ex_cmds.c                | 12 ++++++++++++
+ src/proto/buffer.pro         |  1 +
+ src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
+ src/version.c                |  2 ++
+ 5 files changed, 41 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 8ea57f7..1f71e38 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -470,6 +470,13 @@ can_unload_buffer(buf_T *buf)
+     return can_unload;
+ }
+ 
+    int
+buf_locked(buf_T *buf)
+{
+    return buf->b_locked || buf->b_locked_split;
+}
+
+
+ /*
+  * Close the link to a buffer.
+  * "action" is used when there is no longer a window for the buffer.
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 853df4b..92b5e9f 100644
+--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
+@@ -2692,6 +2692,18 @@ do_ecmd(
+ 	}
+ 	if (buf == NULL)
+ 	    goto theend;
+	// autocommands try to edit a file that is goind to be removed,
+	// abort
+	if (buf_locked(buf))
+	{
+	    // window was split, but not editing the new buffer,
+	    // reset b_nwindows again
+	    if (oldwin == NULL
+		    && curwin->w_buffer != NULL
+		    && curwin->w_buffer->b_nwindows > 1)
+		--curwin->w_buffer->b_nwindows;
+	    goto theend;
+	}
+ 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
+ 	    // reusing the buffer, keep the old alternate file
+ 	    curwin->w_alt_fnum = prev_alt_fnum;
+diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
+index 094feed..031e64a 100644
+--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
+@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
+ void set_buflisted(int on);
+ int buf_contents_changed(buf_T *buf);
+ void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
+ /* vim: set ft=c : */
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index d8738c8..e251112 100644
+--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
+@@ -3633,4 +3633,23 @@ func Test_autocmd_split_dummy()
+   call delete('Xerr')
+ endfunc
+ 
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+  new
+  let fname = 'XXXBufWinLeaveUAF.txt'
+  let dummy = 'XXXDummy.txt'
+  call writefile([], fname)
+  call writefile([], dummy)
+  defer delete(fname)
+  defer delete(dummy)
+  exe "e " fname
+  vsp
+  augroup testing
+    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+  augroup END
+  bw
+  call CleanUpTestAuGroup()
+  exe "bw! " .. dummy
+endfunc
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2de8fd2..5946644 100644
+--- a/src/version.c
+++ b/src/version.c
+@@ -735,6 +735,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
+/**/
+    679,
+ /**/
+     678,
+ /**/
+-- 
+2.43.0
+
--- a/vim-Add-sw64-architecture.patch
+++ b/vim-Add-sw64-architecture.patch
@ -0,0 +1,42 @@
+From 5c8a08bf2260585ffd0202f3506456e53b74e987 Mon Sep 17 00:00:00 2001
+From: wzx <wuzx1226@qq.com>
+Date: Thu, 24 Nov 2022 14:10:28 +0800
+Subject: [PATCH] Add sw64 architecture
+
+Add sw64 architecture in file runtime/syntax/debcontrol.vim and src/osdef1.h.in to support sw64 architecture.
+
+Signed-off-by: wzx <wuzx1226@qq.com>
+---
+ runtime/syntax/debcontrol.vim | 2 +-
+ src/osdef1.h.in               | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/runtime/syntax/debcontrol.vim b/runtime/syntax/debcontrol.vim
+index 9085cd0..5c945c4 100644
+--- a/runtime/syntax/debcontrol.vim
+++ b/runtime/syntax/debcontrol.vim
+@@ -28,7 +28,7 @@ syn match debControlSpace "[ \t]"
+ 
+ let s:kernels = ['linux', 'hurd', 'kfreebsd', 'knetbsd', 'kopensolaris', 'netbsd']
+ let s:archs = [
+-      \ 'alpha', 'amd64', 'armeb', 'armel', 'armhf', 'arm64', 'avr32', 'hppa'
+      \ 'alpha', 'sw_64', 'amd64', 'armeb', 'armel', 'armhf', 'arm64', 'avr32', 'hppa'
+       \, 'i386', 'ia64', 'lpia', 'm32r', 'm68k', 'mipsel', 'mips64el', 'mips'
+       \, 'powerpcspe', 'powerpc', 'ppc64el', 'ppc64', 'riscv64', 's390x', 's390', 'sh3eb'
+       \, 'sh3', 'sh4eb', 'sh4', 'sh', 'sparc64', 'sparc', 'x32'
+diff --git a/src/osdef1.h.in b/src/osdef1.h.in
+index 825fe94..f8c3b9d 100644
+--- a/src/osdef1.h.in
+++ b/src/osdef1.h.in
+@@ -132,7 +132,7 @@ extern char	*getcwd(char *, int);
+ #else
+ extern char	*getwd(char *);
+ #endif
+-#ifndef __alpha	/* suggested by Campbell */
+#if !defined __alpha && !defined __sw_64 /* suggested by Campbell */
+ extern int	ioctl(int, int, ...);
+ #endif
+ extern int	chmod(const char *, mode_t);
+-- 
+2.33.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        25
+Release:        31
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -125,8 +125,16 @@ Patch6095:      backport-CVE-2024-41965.patch
 Patch6096:      backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.patch
 Patch6097:      backport-CVE-2024-41957.patch
 Patch6098:      backport-CVE-2024-43374.patch
+Patch6099:      backport-CVE-2024-43802.patch
+Patch6100:      backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
+Patch6101:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
+Patch6102:      backport-patch-9.1.0038-Unnecessary-loop-in-getvcol.patch
+Patch6103:      backport-CVE-2025-22134.patch
+Patch6104:      backport-CVE-2025-24014.patch

 Patch9000:      bugfix-rm-modify-info-version.patch
+Patch9001:      vim-Add-sw64-architecture.patch
+Patch9002:      fix-CVE-2024-47814.patch

 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -413,7 +421,7 @@ touch %{buildroot}%{_datadir}/%{name}/vimfiles/doc/tags

 chrpath -d %{buildroot}%{_bindir}/vim
 chrpath -d %{buildroot}%{_bindir}/xxd
- 
+
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "%{_libdir}/perl5/CORE" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf

@ -431,7 +439,7 @@ popd
 %check
 %if "%{_gpg_name}" == "private OBS"
 export TERM=xterm
-LC_ALL=en_US.UTF-8 make -j1 test
+LANG=en_US.UTF-8 make -j1 test
 %endif

 %files common
@ -534,6 +542,36 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Jan 20 2025 wangjiang <app@cameyan.com> - 2:9.0-31
+- Type:CVE
+- ID:CVE-2025-22134 CVE-2025-24014
+- SUG:NA
+- DESC:CVE-2025-22134 CVE-2025-24014
+
+* Fri Dec 13 2024 wangjiang <app@cameyan.com> - 2:9.0-30
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix tiny-Vim crashes with fuzzy buffer completion
+
+* Tue Nov 12 2024 wangjiang <app@cameyan.com> - 2:9.0-29
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix coredump when use vnew command
+
+* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0-28
+- Type:CVE
+- ID:CVE-2024-47814
+- SUG:NA
+- DESC:fix CVE-2024-47814
+
+* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0-26
+- Type:CVE
+- ID:CVE-2024-43802
+- SUG:NA
+- DESC:fix CVE-2024-43802
+
 * Wed Aug 21 2024 wangjiang <wangjiang37@h-partners.com> - 2:9.0-25
 - Type:enhacement
 - ID:NA
--- a/vim.yaml
+++ b/vim.yaml
@ -0,0 +1,4 @@
+version_control: github
+src_repo: vim/vim
+tag_prefix: ^v
+seperator: .
Author	SHA1	Message	Date
openeuler-ci-bot	f51d1373d0	!694 [sync] PR-691: fix CVE-2025-22134 CVE-2025-24014 From: @openeuler-sync-bot Reviewed-by: @znzjugod Signed-off-by: @znzjugod	2025-02-12 06:14:04 +00:00
wjiang	6e71200efe	fix CVE-2025-22134 CVE-2025-24014 (cherry picked from commit 00c355a17760a5d54b06d270a862e6d25447ea61)	2025-02-12 11:30:29 +08:00
openeuler-ci-bot	fed1638790	!685 [sync] PR-681: fix tiny-Vim crashes with fuzzy buffer completion From: @openeuler-sync-bot Reviewed-by: @znzjugod Signed-off-by: @znzjugod	2024-12-17 07:49:35 +00:00
wjiang	0b42c9c6e9	fix tiny-Vim crashes with fuzzy buffer completion (cherry picked from commit 9ebfbbf080b978e36e19c6f59387f519e548623f)	2024-12-17 10:38:22 +08:00
openeuler-ci-bot	3d4f5f9c9f	!676 [sync] PR-675: fix coredump when use vnew command From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-11-19 09:13:52 +00:00
wjiang	85380cd45b	fix coredump when use vnew command (cherry picked from commit efd839812258b302b93977ced31a7dc46f8da7dd)	2024-11-19 08:48:30 +08:00
openeuler-ci-bot	e7f42babfa	!669 fix-CVE-2024-47814 From: @fundawang Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen	2024-10-08 06:09:11 +00:00
Funda Wang	df214d4e99	fix-CVE-2024-47814	2024-10-08 12:01:58 +08:00
openeuler-ci-bot	050cbe38b7	!653 fix CVE-2024-43802 From: @fwo Reviewed-by: @zhoupengcheng11, @gaoruoshu Signed-off-by: @gaoruoshu	2024-09-02 07:42:18 +00:00
wjiang	a632dbe6b4	fix CVE-2024-43802	2024-08-30 10:03:41 +08:00