From 03d29f54cc45fe1cbb2fdeaa4655cfa2120596bd Mon Sep 17 00:00:00 2001
From: mgb01105731 <mgb01105731@alibaba-inc.com>
Date: Fri, 25 Jul 2025 16:39:21 +0800
Subject: [PATCH] Add patch to fix CVE-2024-41957 and CVE-2024-41965

---
 ...ix-CVE-2024-41957-and-CVE-2024-41965.patch | 128 ++++++++++++++++++
 vim.spec                                      |   8 +-
 2 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch

diff --git a/1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch b/1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch
new file mode 100644
index 0000000..052692b
--- /dev/null
+++ b/1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch
@@ -0,0 +1,128 @@
+From 36f06441b7832a0f7360ed9f31ec60191a2d800c Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Tue, 1 Apr 2025 02:05:26 -0400
+Subject: [PATCH 1/1] fix CVE-2024-41957 and CVE-2024-41965
+
+---
+ src/ex_cmds2.c             | 23 ++++++++++++++++++++---
+ src/tag.c                  |  4 ++--
+ src/testdir/test_crash.vim | 24 ++++++++++++++++++++++++
+ src/window.c               |  5 +----
+ 4 files changed, 47 insertions(+), 9 deletions(-)
+
+diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c
+index 45ccb52..6b63741 100644
+--- a/src/ex_cmds2.c
++++ b/src/ex_cmds2.c
+@@ -177,14 +177,31 @@ dialog_changed(
+ 
+     if (ret == VIM_YES)
+     {
++	int	empty_bufname;
++
+ #ifdef FEAT_BROWSE
+ 	// May get file name, when there is none
+ 	browse_save_fname(buf);
+ #endif
+-	if (buf->b_fname != NULL && check_overwrite(&ea, buf,
+-				    buf->b_fname, buf->b_ffname, FALSE) == OK)
++	empty_bufname = buf->b_fname == NULL ? TRUE : FALSE;
++	if (empty_bufname)
++	    buf_set_name(buf->b_fnum, (char_u *)"Untitled");
++
++	if (check_overwrite(&ea, buf, buf->b_fname, buf->b_ffname, FALSE) == OK)
++	{
+ 	    // didn't hit Cancel
+-	    (void)buf_write_all(buf, FALSE);
++	    if (buf_write_all(buf, FALSE) == OK)
++		return;
++	}
++
++	// restore to empty when write failed
++	if (empty_bufname)
++	{
++	    VIM_CLEAR(buf->b_fname);
++	    VIM_CLEAR(buf->b_ffname);
++	    VIM_CLEAR(buf->b_sfname);
++	    unchanged(buf, TRUE, FALSE);
++	}
+     }
+     else if (ret == VIM_NO)
+     {
+diff --git a/src/tag.c b/src/tag.c
+index 8003156..f46ca43 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -144,7 +144,7 @@ static void print_tag_list(int new_tag, int use_tagstack, int num_matches, char_
+ #if defined(FEAT_QUICKFIX) && defined(FEAT_EVAL)
+ static int add_llist_tags(char_u *tag, int num_matches, char_u **matches);
+ #endif
+-static void tagstack_clear_entry(taggy_T *item);
++void tagstack_clear_entry(taggy_T *item);
+ 
+ static char_u	*tagmatchname = NULL;	// name of last used tag
+ 
+@@ -4225,7 +4225,7 @@ find_extra(char_u **pp)
+ /*
+  * Free a single entry in a tag stack
+  */
+-    static void
++    void
+ tagstack_clear_entry(taggy_T *item)
+ {
+     VIM_CLEAR(item->tagname);
+diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
+index 233b84d..de2d6e9 100644
+--- a/src/testdir/test_crash.vim
++++ b/src/testdir/test_crash.vim
+@@ -151,6 +151,30 @@ func Test_crash1_2()
+   call delete(result)
+ endfunc
+ 
++" This test just runs various scripts, that caused issues before.
++" We are not really asserting anything here, it's just important
++" that ASAN does not detect any issues.
++func Test_crash1_3()
++  let vim  = GetVimProg()
++  let buf = RunVimInTerminal('sh', #{cmd: 'sh'})
++
++  let file = 'crash/double_free'
++  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
++  let args = printf(cmn_args, vim, file)
++  call term_sendkeys(buf, args)
++  call TermWait(buf, 50)
++
++  let file = 'crash/dialog_changed_uaf'
++  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
++  let args = printf(cmn_args, vim, file)
++  call term_sendkeys(buf, args)
++  call TermWait(buf, 150)
++
++  " clean up
++  exe buf .. "bw!"
++  bw!
++endfunc
++
+ func Test_crash2()
+   " The following used to crash Vim
+   let opts = #{wait_for_ruler: 0, rows: 20}
+diff --git a/src/window.c b/src/window.c
+index 55ce31c..8537a0f 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -5661,10 +5661,7 @@ win_free(
+     win_free_lsize(wp);
+ 
+     for (i = 0; i < wp->w_tagstacklen; ++i)
+-    {
+-	vim_free(wp->w_tagstack[i].tagname);
+-	vim_free(wp->w_tagstack[i].user_data);
+-    }
++        tagstack_clear_entry(&wp->w_tagstack[i]);
+     vim_free(wp->w_localdir);
+     vim_free(wp->w_prevdir);
+ 
+-- 
+2.41.0
+
+
diff --git a/vim.spec b/vim.spec
index 84e6492..e654eff 100644
--- a/vim.spec
+++ b/vim.spec
@@ -1,4 +1,4 @@
-%define anolis_release 6
+%define anolis_release 7
 
 %bcond_without gui
 %bcond_with default_editor
@@ -75,6 +75,9 @@ Patch1002: 1002-stack-buffer-overflow-in-option-callback-functions.patch
 Patch1003: 1003-fix-cve-2025-24014.patch
 # https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8
 Patch1004: 1004-fix-CVE-2024-43374.patch
+# https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5
+# https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c9de60
+Patch1005: 1005-fix-CVE-2024-41957-and-CVE-2024-41965.patch
 
 BuildRequires: autoconf gcc glibc-gconv-extra make
 BuildRequires: gettext gpm-devel libacl-devel
@@ -819,6 +822,9 @@ touch %{buildroot}/%{data_dir}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Fri Jul 25 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 3:9.0.2092-7
+- Add patch to fix CVE-2024-41957 and CVE-2024-41965
+
 * Mon Jul 07 2025 wenxin <wx02272781@alibaba-inc.com> - 3:9.0.2092-6
 - Add patch to Fix CVE-2024-43802, CVE-2024-43374
 
-- 
Gitee