From f7227e595af07aac5abd8497a62c0d0546f8546b Mon Sep 17 00:00:00 2001
From: Sam Meluch <sammeluch@microsoft.com>
Date: Tue, 8 Oct 2024 16:52:53 -0700
Subject: [PATCH] Patch vim to resolve CVE-2024-43802

---
 SPECS/vim/CVE-2024-43802.patch | 100 +++++++++++++++++++++++++++++++++
 SPECS/vim/vim.spec             |   7 ++-
 2 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/vim/CVE-2024-43802.patch

diff --git a/SPECS/vim/CVE-2024-43802.patch b/SPECS/vim/CVE-2024-43802.patch
new file mode 100644
index 00000000000..984e685b2bd
--- /dev/null
+++ b/SPECS/vim/CVE-2024-43802.patch
@@ -0,0 +1,100 @@
+From 322ba9108612bead5eb7731ccb66763dec69ef1b Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sun, 25 Aug 2024 21:33:03 +0200
+Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
+ ins_typebuf
+
+Problem:  heap-buffer-overflow in ins_typebuf
+          (SuyueGuo)
+Solution: When flushing the typeahead buffer, validate that there
+          is enough space left
+
+Github Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+---
+ src/getchar.c                    |  15 ++++++++++++---
+ src/testdir/crash/heap_overflow3 | Bin 0 -> 700 bytes
+ src/testdir/test_crash.vim       |   7 +++++++
+ src/version.c                    |   2 ++
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 src/testdir/crash/heap_overflow3
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 29323fa328bd1..96e180f4ae1a9 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -446,9 +446,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
+ 
+     if (flush_typeahead == FLUSH_MINIMAL)
+     {
+-	// remove mapped characters at the start only
+-	typebuf.tb_off += typebuf.tb_maplen;
+-	typebuf.tb_len -= typebuf.tb_maplen;
++	// remove mapped characters at the start only,
++	// but only when enough space left in typebuf
++	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
++	{
++	    typebuf.tb_off = MAXMAPLEN;
++	    typebuf.tb_len = 0;
++	}
++	else
++	{
++	    typebuf.tb_off += typebuf.tb_maplen;
++	    typebuf.tb_len -= typebuf.tb_maplen;
++	}
+ #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
+ 	if (typebuf.tb_len == 0)
+ 	    typebuf_was_filled = FALSE;
+diff --git a/src/testdir/crash/heap_overflow3 b/src/testdir/crash/heap_overflow3
+new file mode 100644
+index 0000000000000000000000000000000000000000..c40adbec4d07a66bcc9aa51e40dbbb90fdc36623
+GIT binary patch
+literal 700
+zcmZ{hO=}ZD7{@174?bQz$Wq8<gm_8Fn-(=~NE8jF#rP5`N;9UN%}kmlo7uWE2{zd^
+zff_tk=uM~;^wx{Vo&-OEpoiZ2B_zkX&ZaLY;*WWGn0aRY&-}-{?D=qG`hmkNksw|*
+zo6Nm9A6dQ)!g1TQHp`m6VcZOiXfA3P#3QVqt#gh|f@dy8^g@5Xe?mY&QGZPzgg5Xb
+z2Gq^VhGp}DcP+f@G_9XqoMn!0M61_t&CSf^a<2_dbQlCd*<s3h>~blwYI0mDEj_I~
+z#4Wyom4oY!P?qTMHvg-P`?`z?XefMGSG^v1AIK`kUr&%+VYMPErTK+N)J-JP>G^aT
+zAZ{Y$4E~`YaRD~2pecm*%CU(Fe%tiJC@&{d=*n|%Iir2jcC<KOZ&P81)@3ZyrlPf|
+z-rvC(5yW4~RVo!p3{gu>0(~G8oP(})q<t(%fMYq2S#KMmu*9j9S<RRv>g5n(t`-d4
+zkb2NTN-_lOVrS`Y1Znh89(*pxrqJZ4dI$ffVRxx=12p{UwvU2fK<ye%2BS!gAO-->
+zL=pVy065g2)SJ{@p<Qa(4NlgMnYelqpH0Gzn*^kz+u^_?o?s=`*98}gMH4{MU-vEm
+zjI>g|BdnJlURZ#nqNaXvTnpKCo#R~9`EqA#^V7G{Xf)9MjP&=9<L#XY+J3jSIs9|=
+PaCh&^{;u8|j}LwWP8A7n
+
+literal 0
+HcmV?d00001
+
+diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
+index f1843c426611d..5ec103f6dba26 100644
+--- a/src/testdir/test_crash.vim
++++ b/src/testdir/test_crash.vim
+@@ -216,6 +216,13 @@ func Test_crash1_3()
+   call term_sendkeys(buf, args)
+   call TermWait(buf, 50)
+ 
++  let file = 'crash/heap_overflow3'
++  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
++  let args = printf(cmn_args, vim, file)
++  call term_sendkeys(buf, args)
++  call TermWait(buf, 150)
++
++
+   " clean up
+   exe buf .. "bw!"
+   bw!
+diff --git a/src/version.c b/src/version.c
+index b07964e2d7d6c..7f88c8c6836bf 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -704,6 +704,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    697,
+ /**/
+     696,
+ /**/
diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec
index 726e7876622..21729fbac48 100644
--- a/SPECS/vim/vim.spec
+++ b/SPECS/vim/vim.spec
@@ -2,7 +2,7 @@
 Summary:        Text editor
 Name:           vim
 Version:        9.0.2190
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        Vim
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,7 +14,7 @@ Patch0:         CVE-2024-41957.patch
 Patch1:         fix_save_unnamed_buffer_correctly.patch
 Patch2:         CVE-2024-41965.patch
 Patch3:         CVE-2024-43374.patch
-
+Patch4:         CVE-2024-43802.patch
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
 Requires(post): sed
@@ -222,6 +222,9 @@ fi
 %{_rpmconfigdir}/macros.d/macros.vim
 
 %changelog
+* Tue Oct 08 2024 Sam Meluch <sammeluch@microsoft.com> - 9.0.2190-6
+- Add patch to resolve CVE-2024-43802
+
 * Tue Aug 20 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 9.0.2190-5
 - Add patch to resolve CVE-2024-43374