From 66f27ddfbd259fdeada5e1d7197146e7aba82d90 Mon Sep 17 00:00:00 2001
From: bhagyapathak <bhagyapathak@users.noreply.github.com>
Date: Fri, 17 Jan 2025 09:19:55 +0530
Subject: [PATCH] Fix CVE-2025-22134 in vim for 2.0 (#11952)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
(cherry picked from commit 064c8463d048ed7f9cf40926522f0bef6de1053a)
---
 SPECS/vim/CVE-2025-22134.patch | 119 +++++++++++++++++++++++++++++++++
 SPECS/vim/vim.spec             |   6 +-
 2 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/vim/CVE-2025-22134.patch

diff --git a/SPECS/vim/CVE-2025-22134.patch b/SPECS/vim/CVE-2025-22134.patch
new file mode 100644
index 00000000000..9b9061d06bc
--- /dev/null
+++ b/SPECS/vim/CVE-2025-22134.patch
@@ -0,0 +1,119 @@
+From c9a1e257f1630a0866447e53a564f7ff96a80ead Sat Jan 11 00:00:00 2025
+From: bhapathak <bhapathak@microsoft.com>
+Date: Wed, 15 Jan 2025 14:35:21 +0000
+Subject: [PATCH] Fix for CVE-2025-22134 - heap-buffer-overflow with visual mode
+
+---
+diff --git a/src/arglist.c b/src/arglist.c
+index 8825c8e..4eec079 100644
+--- a/src/arglist.c
++++ b/src/arglist.c
+@@ -1258,6 +1258,10 @@ do_arg_all(
+ 
+     tabpage_T *new_lu_tp = curtab;
+ 
++    // Stop Visual mode, the cursor and "VIsual" may very well be invalid after
++    // switching to another buffer.
++    reset_VIsual_and_resel();
++
+     // Try closing all windows that are not in the argument list.
+     // Also close windows that are not full width;
+     // When 'hidden' or "forceit" set the buffer becomes hidden.
+diff --git a/src/misc1.c b/src/misc1.c
+index 0898efb..bb87e22 100644
+--- a/src/misc1.c
++++ b/src/misc1.c
+@@ -543,11 +543,15 @@ plines_m_win(win_T *wp, linenr_T first, linenr_T last, int max)
+ gchar_pos(pos_T *pos)
+ {
+     char_u	*ptr;
+-
++    int		ptrlen;
++	
+     // When searching columns is sometimes put at the end of a line.
+     if (pos->col == MAXCOL)
+ 	return NUL;
++    ptrlen = ml_get_len(pos->lnum);
+     ptr = ml_get_pos(pos);
++    if (pos->col > ptrlen)
++	return NUL;
+     if (has_mbyte)
+ 	return (*mb_ptr2char)(ptr);
+     return (int)*ptr;
+diff --git a/src/ops.c b/src/ops.c
+index eb8f64c..a1bd5b3 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -2450,6 +2450,7 @@ charwise_block_prep(
+     colnr_T startcol = 0, endcol = MAXCOL;
+     colnr_T cs, ce;
+     char_u *p;
++    int	plen = ml_get_len(lnum);
+ 
+     p = ml_get(lnum);
+     bdp->startspaces = 0;
+@@ -2510,7 +2511,7 @@ charwise_block_prep(
+     else
+ 	bdp->textlen = endcol - startcol + inclusive;
+     bdp->textcol = startcol;
+-    bdp->textstart = p + startcol;
++    bdp->textstart = startcol <= plen ? p + startcol : p;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 3750ebf..9cfac32 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -470,7 +470,7 @@ func Test_Visual_Block()
+ 	      \ "\t{",
+ 	      \ "\t}"], getline(1, '$'))
+ 
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for 'p'ut in visual block mode
+@@ -1080,7 +1080,7 @@ func Test_star_register()
+ 
+   delmarks < >
+   call assert_fails('*yank', 'E20:')
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for changing text in visual mode with 'exclusive' selection
+@@ -1096,7 +1096,7 @@ func Test_exclusive_selection()
+   call assert_equal('l      one', getline(1))
+   set virtualedit&
+   set selection&
+-  close!
++  bw!
+ endfunc
+ 
+ " Test for starting linewise visual with a count.
+@@ -1165,6 +1165,24 @@ func Test_visual_put_in_block()
+   bwipe!
+ endfunc
+ 
++" the following caused a Heap-Overflow, because Vim was accessing outside of a
++" line end
++func Test_visual_pos_buffer_heap_overflow()
++  set virtualedit=all
++  args Xa Xb
++  all
++  call setline(1, ['', '', ''])
++  call cursor(3, 1)
++  wincmd w
++  call setline(1, 'foobar')
++  normal! $lv0
++  all
++  call setreg('"', 'baz')
++  normal! [P
++  set virtualedit=
++  bw! Xa Xb
++endfunc
++
+ func Test_visual_put_in_block_using_zp()
+   new
+   " paste using zP
diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec
index 7cf48d16dc7..71538119709 100644
--- a/SPECS/vim/vim.spec
+++ b/SPECS/vim/vim.spec
@@ -2,13 +2,14 @@
 Summary:        Text editor
 Name:           vim
 Version:        9.1.0791
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Vim
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Editors
 URL:            https://www.vim.org
 Source0:        https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2025-22134.patch
 
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
@@ -199,6 +200,9 @@ fi
 %{_bindir}/vimdiff
 
 %changelog
+* Thu Jan 16 2025 Bhagyashri Pathak <bhapathak@microsoft.com> - 9.1.0791-2
+- Patch for fixing CVE-2025-22134
+
 * Thu Oct 17 2024 Nick Samson <nisamson@microsoft.com> - 9.1.0791-1
 - Upgrade to 9.1.0791 to fix CVE-2024-47814, CVE-2024-43802
 - Added language configurations for Amharic and Hungarian