new file mode 100644
@@ -0,0 +1,59 @@
+From d1ae8366aff286d41e7f5bc513cc0a1af5130aad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 9 May 2023 17:09:30 +0100
+Subject: [PATCH] patch 9.0.1531: crash when register contents ends up being
+ invalid
+
+Problem: Crash when register contents ends up being invalid.
+Solution: Check "y_array" is not NULL.
+
++Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338
++Upstream commit https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2609.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338]
++CVE: CVE-2023-2609
++Signed-off-by: Ashish Sharma <asharma@mvista.com>
+---
+ src/register.c | 2 +-
+ src/testdir/test_registers.vim | 17 +++++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/register.c b/src/register.c
+index f3df79cfd642..e481d843c249 100644
+--- a/src/register.c
++++ b/src/register.c
+@@ -301,7 +301,7 @@ get_register(
+ if (copy)
+ {
+ // If we run out of memory some or all of the lines are empty.
+- if (reg->y_size == 0)
++ if (reg->y_size == 0 || y_current->y_array == NULL)
+ reg->y_array = NULL;
+ else
+ reg->y_array = ALLOC_MULT(char_u *, reg->y_size);
+diff --git a/src/testdir/test_registers.vim b/src/testdir/test_registers.vim
+index e966932478d8..33ea0f4bd3e6 100644
+--- a/src/testdir/test_registers.vim
++++ b/src/testdir/test_registers.vim
+@@ -835,6 +835,23 @@ func Test_end_reg_executing()
+ bwipe!
+ endfunc
+
++" This was causing a crash because y_append was ending up being NULL
++func Test_zero_y_append()
++ " Run in a separate Vim instance because changing 'encoding' may cause
++ " trouble for later tests.
++ let lines =<< trim END
++ d
++ silent ?n
++ next <sfile>
++ so
++ sil! norm 0VPSP
++ set enc=latin1
++
++ END
++ call writefile(lines, 'XTest_zero_y_append', 'D')
++ call RunVim([], [], '-u NONE -i NONE -e -s -S XTest_zero_y_append -c qa\!')
++endfunc
++
+ " Make sure that y_append is correctly reset
+ " and the previous register is working as expected
+ func Test_register_y_append_reset()
new file mode 100644
@@ -0,0 +1,106 @@
+From ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 9 May 2023 21:15:30 +0100
+Subject: [PATCH] patch 9.0.1532: crash when expanding "~" in substitute causes
+ very long text
+
+Problem: Crash when expanding "~" in substitute causes very long text.
+Solution: Limit the text length to MAXCOL.
+---
++Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338
++Upstream commit https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2610.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338]
++CVE: CVE-2023-2610
++Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ src/regexp.c | 30 +++++++++++++++++++-----------
+ src/testdir/test_substitute.vim | 14 ++++++++++++++
+ 2 files changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 33b36d11a8be..0e6c746df819 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -1767,10 +1767,7 @@ do_Lower(int *d, int c)
+ regtilde(char_u *source, int magic)
+ {
+ char_u *newsub = source;
+- char_u *tmpsub;
+ char_u *p;
+- int len;
+- int prevlen;
+
+ for (p = newsub; *p; ++p)
+ {
+@@ -1779,24 +1776,35 @@ regtilde(char_u *source, int magic)
+ if (reg_prev_sub != NULL)
+ {
+ // length = len(newsub) - 1 + len(prev_sub) + 1
+- prevlen = (int)STRLEN(reg_prev_sub);
+- tmpsub = alloc(STRLEN(newsub) + prevlen);
++ // Avoid making the text longer than MAXCOL, it will cause
++ // trouble at some point.
++ size_t prevsublen = STRLEN(reg_prev_sub);
++ size_t newsublen = STRLEN(newsub);
++ if (prevsublen > MAXCOL || newsublen > MAXCOL
++ || newsublen + prevsublen > MAXCOL)
++ {
++ emsg(_(e_resulting_text_too_long));
++ break;
++ }
++
++ char_u *tmpsub = alloc(newsublen + prevsublen);
+ if (tmpsub != NULL)
+ {
+ // copy prefix
+- len = (int)(p - newsub); // not including ~
+- mch_memmove(tmpsub, newsub, (size_t)len);
++ size_t prefixlen = p - newsub; // not including ~
++ mch_memmove(tmpsub, newsub, prefixlen);
+ // interpret tilde
+- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen);
++ mch_memmove(tmpsub + prefixlen, reg_prev_sub,
++ prevsublen);
+ // copy postfix
+ if (!magic)
+ ++p; // back off backslash
+- STRCPY(tmpsub + len + prevlen, p + 1);
++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1);
+
+- if (newsub != source) // already allocated newsub
++ if (newsub != source) // allocated newsub before
+ vim_free(newsub);
+ newsub = tmpsub;
+- p = newsub + len + prevlen;
++ p = newsub + prefixlen + prevsublen;
+ }
+ }
+ else if (magic)
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 7491b6163dc8..32e2f2785479 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -1414,6 +1414,24 @@ func Test_substitute_short_cmd()
+ bw!
+ endfunc
+
++" Check handling expanding "~" resulting in extremely long text.
++func Test_substitute_tilde_too_long()
++ if v:sizeoflong < 8
++ throw 'Skipped: only works with 64 bit long ints'
++ endif
++
++ enew!
++
++ s/.*/ixxx
++ s//~~~~~~~~~AAAAAAA@(
++
++ " Either fails with "out of memory" or "text too long".
++ " This can take a long time.
++ call assert_fails('sil! norm &&&&&&&&&', ['E1240:\|E342:'])
++
++ bwipe!
++endfunc
++
+ " This should be done last to reveal a memory leak when vim_regsub_both() is
+ " called to evaluate an expression but it is not used in a second call.
+ func Test_z_substitute_expr_leak()
@@ -18,6 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://vim-add-knob-whether-elf.h-are-checked.patch \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
+ file://CVE-2023-2609..patch \
+ file://CVE-2023-2610..patch \
"
PV .= ".1527"
import patches from ubuntu to fix CVE-2023-2609 CVE-2023-2610 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338 Upstream commit https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2609.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338 & https://git.launchpad.net/ubuntu/+source/vim/tree/debian/patches/CVE-2023-2610.patch?h=applied/ubuntu/devel&id=586a63887e677551384eea2ab03eb22bd1117338] Signed-off-by: Ashish Sharma <asharma@mvista.com> --- .../vim/files/CVE-2023-2609.patch | 59 ++++++++++ .../vim/files/CVE-2023-2610.patch | 106 ++++++++++++++++++ meta/recipes-support/vim/vim.inc | 2 + 3 files changed, 167 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2023-2609.patch create mode 100644 meta/recipes-support/vim/files/CVE-2023-2610.patch