fix CVE-2022-3134 CVE-2022-3153

backport-CVE-2022-3134.patch

@@ -0,0 +1,69 @@
+From ccfde4d028e891a41e3548323c3d47b06fb0b83e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 5 Sep 2022 19:51:13 +0100
+Subject: [PATCH] patch 9.0.0389: crash when 'tagfunc' closes the window
+
+Problem:    Crash when 'tagfunc' closes the window.
+Solution:   Bail out when the window was closed.
+
+---
+ src/errors.h                 |  2 ++
+ src/tag.c                    | 10 ++++++++++
+ src/testdir/test_tagfunc.vim | 12 ++++++++++++
+ 3 files changed, 24 insertions(+)
+
+diff --git a/src/errors.h b/src/errors.h
+index 43a1c9b..bfb4ae8 100644
+--- a/src/errors.h
++++ b/src/errors.h
+@@ -3304,3 +3304,5 @@ EXTERN char e_could_not_check_for_pending_sigalrm_str[]
+ EXTERN char e_substitute_nesting_too_deep[]
+ 	INIT(= N_("E1290: substitute nesting too deep"));
+ #endif
++EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
++	INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
+diff --git a/src/tag.c b/src/tag.c
+index 8edb0c7..b4915cb 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -690,6 +690,16 @@ do_tag(
+ 		max_num_matches = MAXCOL; // If less than max_num_matches
+ 					  // found: all matches found.
+ 
++		// A tag function may do anything, which may cause various
++	    // information to become invalid.  At least check for the tagstack
++	    // to still be the same.
++	    if (tagstack != curwin->w_tagstack)
++	    {
++		emsg(_(e_window_unexpectedly_close_while_searching_for_tags));
++		FreeWild(new_num_matches, new_matches);
++		break;
++	    }
++
+ 	    // If there already were some matches for the same name, move them
+ 	    // to the start.  Avoids that the order changes when using
+ 	    // ":tnext" and jumping to another file.
+diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim
+index 9582612..c10a82d 100644
+--- a/src/testdir/test_tagfunc.vim
++++ b/src/testdir/test_tagfunc.vim
+@@ -401,4 +401,16 @@ func Test_tagfunc_wipes_buffer()
+   set tagfunc=
+ endfunc
+ 
++func Test_tagfunc_closes_window()
++  split any
++  func MytagfuncClose(pat, flags, info)
++    close
++    return [{'name' : 'mytag', 'filename' : 'Xtest', 'cmd' : '1'}]
++  endfunc
++  set tagfunc=MytagfuncClose
++  call assert_fails('tag xyz', 'E1299:')
++
++  set tagfunc=
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.33.0
+

backport-CVE-2022-3153.patch

@@ -0,0 +1,87 @@
+From 1540d334a04d874c2aa9d26b82dbbcd4bc5a78de Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 7 Sep 2022 15:20:26 +0100
+Subject: [PATCH] patch 9.0.0404: crash when passing invalid arguments to
+ assert_fails()
+
+Problem:    Crash when passing invalid arguments to assert_fails().
+Solution:   Check for NULL string.
+---
+ src/testdir/test_assert.vim | 19 +++++++++++++++++--
+ src/testing.c               |  9 +++++++++
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 7c9d090..9d8a018 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -278,6 +278,21 @@ func Test_assert_fail_fails()
+   endtry
+   call assert_match("E1222: String or List required for argument 2", exp)
+ 
++  try
++    call assert_equal(0, assert_fails('xxx', [#{one: 1}]))
++  catch
++    let exp = v:exception
++  endtry
++  call assert_match("E731: Using a Dictionary as a String", exp)
++
++  let exp = ''
++  try
++    call assert_equal(0, assert_fails('xxx', ['E492', #{one: 1}]))
++  catch
++    let exp = v:exception
++  endtry
++  call assert_match("E731: Using a Dictionary as a String", exp)
++
+   try
+     call assert_equal(1, assert_fails('xxx', 'E492', '', 'burp'))
+   catch
+@@ -292,8 +307,8 @@ func Test_assert_fail_fails()
+   endtry
+   call assert_match("E1174: String required for argument 5", exp)
+ 
+-  call assert_equal(1, assert_fails('c0', ['', '\1']))
+-  call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
++  call assert_equal(1, assert_fails('c0', ['', '\(.\)\1']))
++  call assert_match("Expected '\\\\\\\\(.\\\\\\\\)\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
+   call remove(v:errors, 0)
+ endfunc
+ 
+diff --git a/src/testing.c b/src/testing.c
+index 43b8d20..b4c4ff4 100644
+--- a/src/testing.c
++++ b/src/testing.c
+@@ -616,6 +616,11 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+     in_assert_fails = TRUE;
+ 
+     do_cmdline_cmd(cmd);
++
++    // reset here for any errors reported below
++    trylevel = save_trylevel;
++    suppress_errthrow = FALSE;
++
+     if (called_emsg == called_emsg_before)
+     {
+ 	prepare_assert_error(&ga);
+@@ -654,6 +659,8 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ 	    CHECK_LIST_MATERIALIZE(list);
+ 	    tv = &list->lv_first->li_tv;
+ 	    expected = tv_get_string_buf_chk(tv, buf);
++	    if (expected == NULL)
++		goto theend;
+ 	    if (!pattern_match(expected, actual, FALSE))
+ 	    {
+ 		error_found = TRUE;
+@@ -667,6 +674,8 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ 		{
+ 		    tv = &list->lv_u.mat.lv_last->li_tv;
+ 		    expected = tv_get_string_buf_chk(tv, buf);
++		    if (expected == NULL)
++			goto theend;
+ 		    if (!pattern_match(expected, actual, FALSE))
+ 		    {
+ 			error_found = TRUE;
+-- 
+2.27.0
+

vim.spec

@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        12
+Release:        13
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -61,6 +61,8 @@ Patch6030:      backport-CVE-2022-2982.patch
 Patch6031:      backport-CVE-2022-3016.patch
 Patch6032:      backport-CVE-2022-3037.patch
 Patch6033:      backport-CVE-2022-3099.patch
+Patch6034:      backport-CVE-2022-3134.patch
+Patch6035:      backport-CVE-2022-3153.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -459,6 +461,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Tue Sep 13 2022 wangjiang <wangjiang37@h-partners.com> - 2:9.0-13
+- Type:CVE
+- ID:CVE-2022-3134CVE-2022-3153
+- SUG:NA
+- DESC:fix CVE-2022-3134 CVE-2022-3153
+
 * Thu Sep 08 2022 renhongxun <renhongxun@h-partners.com> - 2:9.0-12
 - Type:CVE
 - ID:CVE-2022-3099