!684 [sync] PR-682: fix tiny-Vim crashes with fuzzy buffer completion

From: @openeuler-sync-bot 
Reviewed-by: @znzjugod 
Signed-off-by: @znzjugod

backport-CVE-2024-43802.patch

@@ -0,0 +1,45 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
++	// remove mapped characters at the start only,
++	// but only when enough space left in typebuf
++	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
++	{
++	    typebuf.tb_off = MAXMAPLEN;
++	    typebuf.tb_len = 0;
++	}
++	else
++	{
++	    typebuf.tb_off += typebuf.tb_maplen;
++	    typebuf.tb_len -= typebuf.tb_maplen;
++	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;

backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch

@@ -0,0 +1,116 @@
+From 701c863e68fa24847100beef3c9008024615a081 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 8 Sep 2024 20:05:23 +0200
+Subject: [PATCH] patch 9.1.0722: crash with large id in text_prop interface
+
+Problem:  crash with large id in text_prop interface
+          prop_add()/prop_add_list() (cposture)
+Solution: Error out if the id is > INT_MAX or <= INT_MIN
+
+fixes: #15637
+closes: #15638
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ runtime/doc/textprop.txt      | 12 ++++++------
+ src/testdir/test_textprop.vim |  4 ++++
+ src/textprop.c                | 22 ++++++++++++++++++++--
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/runtime/doc/textprop.txt b/runtime/doc/textprop.txt
+index 6b46e06df9a20..0a04abbdb6d01 100644
+--- a/runtime/doc/textprop.txt
++++ b/runtime/doc/textprop.txt
+@@ -1,4 +1,4 @@
+-*textprop.txt*  For Vim version 9.0.  Last change: 2023 Apr 23
++*textprop.txt*  For Vim version 9.1.  Last change: 2024 Sep 08
+ 
+ 
+ 		  VIM REFERENCE MANUAL    by Bram Moolenaar
+@@ -138,10 +138,10 @@ prop_add({lnum}, {col}, {props})
+ 		   bufnr	buffer to add the property to; when omitted
+ 				the current buffer is used
+ 		   id		user defined ID for the property; must be a
+-				number, should be positive; when using "text"
+-				then "id" must not be present and will be set
+-				automatically to a negative number; otherwise
+-				zero is used
++				number, should be positive |E1510|;
++				when using "text" then "id" must not be
++				present and will be set automatically to a
++				negative number; otherwise zero is used
+ 							*E1305*
+ 		   text		text to be displayed before {col}, or
+ 				above/below the line if {col} is zero; prepend
+@@ -267,7 +267,7 @@ prop_add_list({props}, [{item}, ...])
+ 			call prop_add_list(#{type: 'MyProp', id: 2},
+ 					\ [[1, 4, 1, 7],
+ 					\  [1, 15, 1, 20],
+-					\  [2, 30, 3, 30]]
++					\  [2, 30, 3, 30]])
+ <
+ 		Can also be used as a |method|: >
+ 			GetProp()->prop_add_list([[1, 1, 1, 2], [1, 4, 1, 8]])
+diff --git a/src/testdir/test_textprop.vim b/src/testdir/test_textprop.vim
+index 57277f79e2506..bbb911f959305 100644
+--- a/src/testdir/test_textprop.vim
++++ b/src/testdir/test_textprop.vim
+@@ -393,6 +393,8 @@ func Test_prop_add_list()
+   call assert_fails('call prop_add_list(test_null_dict(), [[2, 2, 2]])', 'E965:')
+   call assert_fails('call prop_add_list(#{type: "one"}, test_null_list())', 'E1298:')
+   call assert_fails('call prop_add_list(#{type: "one"}, [test_null_list()])', 'E714:')
++  call assert_fails('call prop_add_list(#{type: "one", id: 2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
++  call assert_fails('call prop_add_list(#{type: "one", id: -2147483648}, [[2, 2, 2, 2], [3, 20, 3, 22]])', 'E1510:')
+ 
+   " only one error for multiple wrong values
+   call assert_fails('call prop_add_list(#{type: "one"}, [[{}, [], 0z00, 0.3]])', ['E728:', 'E728:'])
+@@ -1743,6 +1745,8 @@ func Test_prop_func_invalid_args()
+   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'length':-1})", 'E475:')
+   call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'end_col':0})", 'E475:')
+   call assert_fails("call prop_add(2, 3, {'length':1})", 'E965:')
++  call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': 2147483648})", 'E1510:')
++  call assert_fails("call prop_add(2, 3, {'type': 'xxx', 'id': -2147483648})", 'E1510:')
+ 
+   call prop_type_delete('xxx')
+   bwipe!
+diff --git a/src/textprop.c b/src/textprop.c
+index fe0c8d20cbd46..d16f8ecef3abe 100644
+--- a/src/textprop.c
++++ b/src/textprop.c
+@@ -372,7 +372,16 @@ f_prop_add_list(typval_T *argvars, typval_T *rettv UNUSED)
+     type_name = dict_get_string(dict, "type", FALSE);
+ 
+     if (dict_has_key(dict, "id"))
+-	id = dict_get_number(dict, "id");
++    {
++	long long x;
++	x = dict_get_number(dict, "id");
++	if (x > INT_MAX || x  <= INT_MIN)
++	{
++	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
++	    return;
++	}
++	id = (int)x;
++    }
+ 
+     if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL)
+ 	return;
+@@ -497,7 +506,16 @@ prop_add_common(
+ 	end_col = 1;
+ 
+     if (dict_has_key(dict, "id"))
+-	id = dict_get_number(dict, "id");
++    {
++	long long x;
++	x = dict_get_number(dict, "id");
++	if (x > INT_MAX || x  <= INT_MIN)
++	{
++	    semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
++	    goto theend;
++	}
++	id = (int)x;
++    }
+ 
+     if (dict_has_key(dict, "text"))
+     {
+

backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch

@@ -0,0 +1,56 @@
+From 59149f02692804267e7cc0665d0334f6ff4675be Mon Sep 17 00:00:00 2001
+From: zeertzjq <zeertzjq@outlook.com>
+Date: Sat, 14 Sep 2024 10:40:29 +0200
+Subject: [PATCH] patch 9.1.0730: Crash with cursor-screenline and narrow
+ window
+
+Problem:  Crash with cursor-screenline and narrow window
+          (elig0n)
+Solution: Don't set right_col when width2 is 0 (zeertzjq).
+
+fixes: #15677
+closes: #15678
+
+Signed-off-by: zeertzjq <zeertzjq@outlook.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/drawline.c                  |  2 +-
+ src/testdir/test_cursorline.vim | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/drawline.c b/src/drawline.c
+index b627192a4ee0f..fd5d56b43e508 100644
+--- a/src/drawline.c
++++ b/src/drawline.c
+@@ -62,7 +62,7 @@ margin_columns_win(win_T *wp, int *left_col, int *right_col)
+     *left_col = 0;
+     *right_col = width1;
+ 
+-    if (wp->w_virtcol >= (colnr_T)width1)
++    if (wp->w_virtcol >= (colnr_T)width1 && width2 > 0)
+ 	*right_col = width1 + ((wp->w_virtcol - width1) / width2 + 1) * width2;
+     if (wp->w_virtcol >= (colnr_T)width1 && width2 > 0)
+ 	*left_col = (wp->w_virtcol - width1) / width2 * width2 + width1;
+diff --git a/src/testdir/test_cursorline.vim b/src/testdir/test_cursorline.vim
+index bdde670d207a5..d258111ae4de1 100644
+--- a/src/testdir/test_cursorline.vim
++++ b/src/testdir/test_cursorline.vim
+@@ -309,6 +309,17 @@ func Test_cursorline_screenline_update()
+   call StopVimInTerminal(buf)
+ endfunc
+ 
++func Test_cursorline_screenline_zero_width()
++  CheckOption foldcolumn
++
++  set cursorline culopt=screenline winminwidth=1 foldcolumn=1
++  " This used to crash Vim
++  1vnew | redraw
++
++  bwipe!
++  set cursorline& culopt& winminwidth& foldcolumn&
++endfunc
++
+ func Test_cursorline_cursorbind_horizontal_scroll()
+   CheckScreendump
+ 
+

backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch

@@ -0,0 +1,103 @@
+From dff3c9c1a789351a741b6a430862c8b2a0eff383 Mon Sep 17 00:00:00 2001
+From: 826814741_6 <44406129+826814741-6@users.noreply.github.com>
+Date: Tue, 10 Dec 2024 17:15:14 +0100
+Subject: [PATCH] patch 9.1.0918: tiny Vim crashes with fuzzy buffer completion
+
+Problem:  tiny Vim crashes with fuzzy buffer completion
+Solution: Adjust #ifdefs in ExpandBufnames() (826814741_6)
+
+closes: #16200
+
+Signed-off-by: h-east <h.east.727@gmail.com>
+Signed-off-by: 826814741_6 <44406129+826814741-6@users.noreply.github.com>
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/buffer.c             |  4 ++--
+ src/testdir/Make_all.mak |  6 ++++--
+ src/testdir/test29.in    | 14 ++++++++++++++
+ src/testdir/test29.ok    |  1 +
+ 4 files changed, 21 insertions(+), 4 deletions(-)
+ create mode 100644 src/testdir/test29.in
+ create mode 100644 src/testdir/test29.ok
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 3b05f25d7f705b..147d20dc78f0ff 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -2956,9 +2956,9 @@ ExpandBufnames(
+     if (!fuzzy && patc != pat)
+ 	vim_free(patc);
+ 
+-#ifdef FEAT_VIMINFO
+     if (!fuzzy)
+     {
++#ifdef FEAT_VIMINFO
+ 	if (matches != NULL)
+ 	{
+ 	    int i;
+@@ -2978,13 +2978,13 @@ ExpandBufnames(
+ 	    }
+ 	    vim_free(matches);
+ 	}
++#endif
+     }
+     else
+     {
+ 	if (fuzzymatches_to_strmatches(fuzmatch, file, count, FALSE) == FAIL)
+ 	    return FAIL;
+     }
+-#endif
+ 
+     *num_file = count;
+     return (count == 0 ? FAIL : OK);
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index bdf058c1ec43a1..7285354838805a 100644
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -20,7 +20,8 @@ SCRIPTS_TINY = \
+ 	test24 \
+ 	test25 \
+ 	test26 \
+-	test27
++	test27 \
++	test29
+ 
+ SCRIPTS_TINY_OUT = \
+ 	test10.out \
+@@ -31,7 +32,8 @@ SCRIPTS_TINY_OUT = \
+ 	test24.out \
+ 	test25.out \
+ 	test26.out \
+-	test27.out
++	test27.out \
++	test29.out
+ 
+ # Tests for Vim9 script.
+ TEST_VIM9 = \
+diff --git a/src/testdir/test29.in b/src/testdir/test29.in
+new file mode 100644
+index 00000000000000..047803c60ff7bd
+--- /dev/null
++++ b/src/testdir/test29.in
+@@ -0,0 +1,14 @@
++Test for buffer name completion when 'wildoptions' contains "fuzzy"
++(Confirm that Vim does not crash)
++
++STARTTEST
++:set wildoptions=fuzzy
++:new buf_a
++:b buf_a
++:q!
++:set wildoptions&
++:$w! test.out
++:qa!
++ENDTEST
++
++I'm alive!
+diff --git a/src/testdir/test29.ok b/src/testdir/test29.ok
+new file mode 100644
+index 00000000000000..6a0a7c94510a8e
+--- /dev/null
++++ b/src/testdir/test29.ok
+@@ -0,0 +1 @@
++I'm alive!

fix-CVE-2024-47814.patch

@@ -0,0 +1,117 @@
+From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Tue, 8 Oct 2024 09:24:30 +0800
+Subject: [PATCH] fix CVE-2024-47814
+
+Problem:  [security]: use-after-free when closing a buffer
+Solution: When splitting the window and editing a new buffer,
+          check whether the newly to be edited buffer has been marked
+          for deletion and abort in this case
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+---
+ src/buffer.c                 |  6 ++++++
+ src/ex_cmds.c                | 12 ++++++++++++
+ src/proto/buffer.pro         |  1 +
+ src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
+ src/version.c                |  2 ++
+ 5 files changed, 40 insertions(+)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 260d22e..6bdb7a6 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -496,6 +496,12 @@ can_unload_buffer(buf_T *buf)
+     return can_unload;
+ }
+ 
++    int
++buf_locked(buf_T *buf)
++{
++    return buf->b_locked || buf->b_locked_split;
++}
++
+ /*
+  * Close the link to a buffer.
+  * "action" is used when there is no longer a window for the buffer.
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 46c4503..31cef2a 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -2740,6 +2740,18 @@ do_ecmd(
+ 	}
+ 	if (buf == NULL)
+ 	    goto theend;
++	// autocommands try to edit a file that is goind to be removed,
++	// abort
++	if (buf_locked(buf))
++	{
++	    // window was split, but not editing the new buffer,
++	    // reset b_nwindows again
++	    if (oldwin == NULL
++		    && curwin->w_buffer != NULL
++		    && curwin->w_buffer->b_nwindows > 1)
++		--curwin->w_buffer->b_nwindows;
++	    goto theend;
++	}
+ 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
+ 	    // reusing the buffer, keep the old alternate file
+ 	    curwin->w_alt_fnum = prev_alt_fnum;
+diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
+index 3a61027..dc68ca8 100644
+--- a/src/proto/buffer.pro
++++ b/src/proto/buffer.pro
+@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
+ void set_buflisted(int on);
+ int buf_contents_changed(buf_T *buf);
+ void wipe_buffer(buf_T *buf, int aucmd);
++int buf_locked(buf_T *buf);
+ /* vim: set ft=c : */
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 0652a6f..3abde1e 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -4311,4 +4311,23 @@ func Test_autocmd_shortmess()
+   delfunc SetupVimTest_shm
+ endfunc
+ 
++" This was using freed memory
++func Test_autocmd_BufWinLeave_with_vsp()
++  new
++  let fname = 'XXXBufWinLeaveUAF.txt'
++  let dummy = 'XXXDummy.txt'
++  call writefile([], fname)
++  call writefile([], dummy)
++  defer delete(fname)
++  defer delete(dummy)
++  exe "e " fname
++  vsp
++  augroup testing
++    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
++  augroup END
++  bw
++  call CleanUpTestAuGroup()
++  exe "bw! " .. dummy
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 10916ed..286a45f 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -704,6 +704,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/    
++    679,
+ /**/
+     678,
+ /**/
+-- 
+2.43.0
+

vim.spec

@@ -14,7 +14,7 @@
 Name:           vim
 Epoch:          2
 Version:        %{baseversion}.%{patchlevel}
-Release:        10
+Release:        15
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -49,8 +49,13 @@ Patch6014:      backport-CVE-2024-41965.patch
 Patch6015:      backport-patch-9.1.0554-bw-leaves-jumplist-and-tagstack-data-.patch
 Patch6016:      backport-CVE-2024-41957.patch
 Patch6017:      backport-CVE-2024-43374.patch
+Patch6018:      backport-CVE-2024-43802.patch
+Patch6019:      backport-patch-9.1.0722-crash-with-large-id-in-text_prop-interface.patch
+Patch6020:      backport-patch-9.1.0730-crash-with-cursor-screenline-and-narrow-window.patch
+Patch6021:      backport-patch-9.1.0918-tiny-vim-crashes-with-fuzzy-buffer-completion.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
+Patch9001:      fix-CVE-2024-47814.patch
 
 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@@ -456,6 +461,36 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
 %{_mandir}/man1/evim.*
 
 %changelog
+* Fri Dec 13 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-15
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix tiny-Vim crashes with fuzzy buffer completion
+
+* Tue Nov 12 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-14
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix coredump when use vnew command
+
+* Thu Oct 17 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-13
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix coredump in prop_add() with id>INT_MAX
+
+* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0.2092-12
+- Type:CVE
+- ID:CVE-2024-47814
+- SUG:NA
+- DESC:fix CVE-2024-47814
+
+* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11
+- Type:CVE
+- ID:CVE-2024-43802
+- SUG:NA
+- DESC:fix CVE-2024-43802
+
 * Wed Aug 21 2024 Funda Wang <fundawang@yeah.net> - 2:9.0.2092-10
 - Type:enhacement
 - ID:NA