From 5a62256ebe128c73fa6587ec7cfc61b3b65d8f31 Mon Sep 17 00:00:00 2001
From: Sam Meluch <109628994+sameluch@users.noreply.github.com>
Date: Thu, 17 Oct 2024 11:52:13 -0700
Subject: [PATCH] Patch vim to resolve CVE-2024-43802 (#10680)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/vim/CVE-2024-43802.patch | 49 ++++++++++++++++++++++++++++++++++
 SPECS/vim/vim.spec             |  7 +++--
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/vim/CVE-2024-43802.patch

diff --git a/SPECS/vim/CVE-2024-43802.patch b/SPECS/vim/CVE-2024-43802.patch
new file mode 100644
index 00000000000..0962098c743
--- /dev/null
+++ b/SPECS/vim/CVE-2024-43802.patch
@@ -0,0 +1,49 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Removed binary test file and test only changes for security fix
+
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+ create mode 100644 src/testdir/crash/heap_overflow3
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
++	// remove mapped characters at the start only,
++	// but only when enough space left in typebuf
++	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
++	{
++	    typebuf.tb_off = MAXMAPLEN;
++	    typebuf.tb_len = 0;
++	}
++	else
++	{
++	    typebuf.tb_off += typebuf.tb_maplen;
++	    typebuf.tb_len -= typebuf.tb_maplen;
++	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;
diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec
index 83f6a49a1a2..a6107efc049 100644
--- a/SPECS/vim/vim.spec
+++ b/SPECS/vim/vim.spec
@@ -2,7 +2,7 @@
 Summary:        Text editor
 Name:           vim
 Version:        9.0.2121
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Vim
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,7 +13,7 @@ Patch0:         CVE-2024-22667.patch
 Patch1:         CVE-2024-43374.patch
 Patch2:         CVE-2024-41957.patch
 Patch3:         CVE-2024-41965.patch
-
+Patch4:         CVE-2024-43802.patch
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
 Requires(post): sed
@@ -201,6 +201,9 @@ fi
 %{_bindir}/vimdiff
 
 %changelog
+* Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 9.0.2121-5
+- Add patch to resolve CVE-2024-43802
+
 * Wed Sep 18 2024 Sumedh Sharma <sumsharma@microsoft.com> - 9.0.2121-4
 - Add patch to resolve CVE-2024-41957 & CVE-2024-41965