From 950df88546bd9c5e536bd00f2b1f9834bba2887b Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Wed, 12 Oct 2022 11:12:50 +0800
Subject: [PATCH] fix CVE-2022-3352

---
 backport-CVE-2022-3352.patch                  | 79 +++++++++++++++++++
 ...-fails-because-error-message-changed.patch | 28 +++++++
 vim.spec                                      | 11 ++-
 3 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-3352.patch
 create mode 100644 backport-spell-test-fails-because-error-message-changed.patch

diff --git a/backport-CVE-2022-3352.patch b/backport-CVE-2022-3352.patch
new file mode 100644
index 0000000..5c92cc0
--- /dev/null
+++ b/backport-CVE-2022-3352.patch
@@ -0,0 +1,79 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  7 ++++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 10 ++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index e775398..a85b2a8 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -461,7 +461,12 @@ can_unload_buffer(buf_T *buf)
+ 	    }
+     }
+     if (!can_unload)
+-	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str), buf->b_fname);
++    {
++	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
++
++	semsg(_(e_attempt_to_delete_buffer_that_is_in_use_str),
++				fname != NULL ? fname : (char_u *)"[No Name]");
++    }
+     return can_unload;
+ }
+ 
+diff --git a/src/spell.c b/src/spell.c
+index 24abce4..3664425 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1559,6 +1559,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
++    // Disallow deleting the current buffer.  Autocommands can do weird things
++    // and cause "lang" to be freed.
++    ++curbuf->b_locked;
++
+     // We may retry when no spell file is found for the language, an
+     // autocommand may load it then.
+     for (round = 1; round <= 2; ++round)
+@@ -1612,6 +1616,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
++
++    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index e9a59c2..bc74c29 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -2750,6 +2750,16 @@ func Test_FileType_spell()
+   setglobal spellfile=
+ endfunc
+ 
++" this was wiping out the current buffer and using freed memory
++func Test_SpellFileMissing_bwipe()
++  next 0
++  au SpellFileMissing 0 bwipe
++  call assert_fails('set spell spelllang=0', 'E937:')
++
++  au! SpellFileMissing
++  bwipe
++endfunc
++
+ " Test closing a window or editing another buffer from a FileChangedRO handler
+ " in a readonly buffer
+ func Test_FileChangedRO_winclose()
+-- 
+2.27.0
+
diff --git a/backport-spell-test-fails-because-error-message-changed.patch b/backport-spell-test-fails-because-error-message-changed.patch
new file mode 100644
index 0000000..9dd40f1
--- /dev/null
+++ b/backport-spell-test-fails-because-error-message-changed.patch
@@ -0,0 +1,28 @@
+From 371951d0c34d4f44b50ad8bc8d30a4ef7effade6 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 14:08:23 +0100
+Subject: [PATCH] patch 9.0.0616: spell test fails because error message
+ changed
+
+Problem:    Spell test fails because error message changed.
+Solution:   Adjust expected error message.
+---
+ src/testdir/test_spell.vim | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index 9cc7d68..bc948b0 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -145,7 +145,7 @@ func Test_spell_file_missing()
+   augroup TestSpellFileMissing
+     autocmd! SpellFileMissing * bwipe
+   augroup END
+-  call assert_fails('set spell spelllang=ab_cd', 'E797:')
++  call assert_fails('set spell spelllang=ab_cd', 'E937:')
+ 
+   " clean up
+   augroup TestSpellFileMissing
+-- 
+2.27.0
+
diff --git a/vim.spec b/vim.spec
index c0e2acc..a242da8 100644
--- a/vim.spec
+++ b/vim.spec
@@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        9.0
-Release:        17
+Release:        18
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@@ -67,6 +67,8 @@ Patch6036:      backport-CVE-2022-3234.patch
 Patch6037:      backport-CVE-2022-3235.patch
 Patch6038:      backport-CVE-2022-3256.patch
 Patch6039:      backport-CVE-2022-3296.patch
+Patch6040:      backport-CVE-2022-3352.patch
+Patch6041:      backport-spell-test-fails-because-error-message-changed.patch
 
 Patch9000:      bugfix-rm-modify-info-version.patch
 
@@ -365,6 +367,7 @@ popd
 %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :
 
 %check
+export TERM=xterm
 LC_ALL=en_US.UTF-8 make -j1 test
 
 %files common
@@ -465,6 +468,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*
 
 %changelog
+* Wed Oct 12 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:9.0-18
+- Type:CVE
+- ID:CVE-2022-3352
+- SUG:NA
+- DESC:fix CVE-2022-3352
+
 * Thu Sep 29 2022 huangduirong <huangduirong@huawei.com> - 2:9.0-17
 - Type:CVE
 - ID:CVE-2022-3296