vim: fix CVE-2021-3796, CVE-2021-3872, and CVE-2021-3875

Backport patches from upstream to fix these CVEs.

(From OE-Core rev: 2ed29a813fa07a2e6d2637f7fc63d5e0066b6304)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b493eb4f9a6bb75a2f01a53b6c70762845bf79f9)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 72 insertions, 0 deletions

diff --git a/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
new file mode 100644
index 0000000000..045081579c
--- /dev/null
+++ b/meta/recipes-support/vim/files/0004-patch-8.2.3489-ml_get-error-after-search-with-range.patch
@@ -0,0 +1,72 @@
+CVE: CVE-2021-3875
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b8968e26d7508e7d64bfc86808142818b0a9288c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 9 Oct 2021 13:58:55 +0100
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+---
+ src/ex_docmd.c              |  6 ++++--
+ src/testdir/test_search.vim | 17 +++++++++++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..fde726477 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+                    // When '/' or '?' follows another address, start from
+                    // there.
+-                   if (lnum != MAXLNUM)
+-                       curwin->w_cursor.lnum = lnum;
++                   if (lnum > 0 && lnum != MAXLNUM)
++                       curwin->w_cursor.lnum =
++                               lnum > curbuf->b_ml.ml_line_count
++                                          ? curbuf->b_ml.ml_line_count : lnum;
+ 
+                    // Start a forward search at the end of the line (unless
+                    // before the first line).
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 187671305..e142c3547 100644
+--- a/src/testdir/test_search.vim
++++ b/src/testdir/test_search.vim
+@@ -1366,3 +1366,20 @@ func Test_searchdecl()
+ 
+   bwipe!
+ endfunc
++
++func Test_search_with_invalid_range()
++  new
++  let lines =<< trim END
++    /\%.v
++    5/
++    c
++  END
++  call writefile(lines, 'Xrangesearch')
++  source Xrangesearch
++
++  bwipe!
++  call delete('Xrangesearch')
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 2b5de5ccf..092864bbb 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -742,6 +742,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    3489,
+ /**/
+     3487,
+ /**/