summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--debian/changelog20
-rw-r--r--debian/patches/CVE-2021-3872.patch64
-rw-r--r--debian/patches/CVE-2021-3927.patch36
-rw-r--r--debian/patches/CVE-2021-3928.patch40
-rw-r--r--debian/patches/CVE-2021-3974.patch56
-rw-r--r--debian/patches/CVE-2021-3984.patch55
-rw-r--r--debian/patches/CVE-2021-4019.patch38
-rw-r--r--debian/patches/CVE-2021-4069.patch52
-rw-r--r--debian/patches/CVE-2021-4192.patch51
-rw-r--r--debian/patches/CVE-2021-4193.patch46
-rw-r--r--debian/patches/CVE-2022-0213.patch48
-rw-r--r--debian/patches/CVE-2022-0261.patch112
-rw-r--r--debian/patches/CVE-2022-0319.patch47
-rw-r--r--debian/patches/CVE-2022-0351.patch58
-rw-r--r--debian/patches/CVE-2022-0359.patch54
-rw-r--r--debian/patches/CVE-2022-0361.patch42
-rw-r--r--debian/patches/CVE-2022-0368.patch45
-rw-r--r--debian/patches/CVE-2022-0408.patch87
-rw-r--r--debian/patches/CVE-2022-0413.patch80
-rw-r--r--debian/patches/CVE-2022-0417.patch88
-rw-r--r--debian/patches/CVE-2022-0443.patch79
-rw-r--r--debian/patches/CVE-2022-0554.patch68
-rw-r--r--debian/patches/CVE-2022-0572.patch25
-rw-r--r--debian/patches/CVE-2022-0685.patch47
-rw-r--r--debian/patches/CVE-2022-0714.patch22
-rw-r--r--debian/patches/CVE-2022-0729.patch43
-rw-r--r--debian/patches/CVE-2022-0943.patch53
-rw-r--r--debian/patches/CVE-2022-1154.patch31
-rw-r--r--debian/patches/CVE-2022-1616.patch53
-rw-r--r--debian/patches/CVE-2022-1720.patch34
-rw-r--r--debian/patches/CVE-2022-1851.patch44
-rw-r--r--debian/patches/CVE-2022-1898.patch65
-rw-r--r--debian/patches/CVE-2022-2285.patch40
-rw-r--r--debian/patches/CVE-2022-2304.patch56
-rw-r--r--debian/patches/CVE-2022-2598.patch60
-rw-r--r--debian/patches/CVE-2022-2946.patch44
-rw-r--r--debian/patches/CVE-2022-3099.patch23
-rw-r--r--debian/patches/CVE-2022-3134.patch29
-rw-r--r--debian/patches/CVE-2022-3234.patch71
-rw-r--r--debian/patches/CVE-2022-3324.patch65
-rw-r--r--debian/patches/CVE-2022-3705.patch71
-rw-r--r--debian/patches/CVE_2022-1968.patch84
-rw-r--r--debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch2
-rw-r--r--debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch2
-rw-r--r--debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch4
-rw-r--r--debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch14
-rw-r--r--debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch12
-rw-r--r--debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch12
-rw-r--r--debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch17
-rw-r--r--debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch14
-rw-r--r--debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch14
-rw-r--r--debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch72
-rw-r--r--debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch14
-rw-r--r--debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch12
-rw-r--r--debian/patches/patch-8.1.1382-error-when-editing-test-file.patch18
-rw-r--r--debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch18
-rw-r--r--debian/patches/series41
-rw-r--r--debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch8
-rw-r--r--debian/patches/upstream/deb-release-names.patch4
-rw-r--r--debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch49
-rw-r--r--debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch12
-rw-r--r--debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch14
-rw-r--r--debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch8
-rw-r--r--debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch6
-rw-r--r--debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch8
-rw-r--r--debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch6
66 files changed, 2369 insertions, 238 deletions
diff --git a/debian/changelog b/debian/changelog
index d771fb0..7471584 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2021-3927, CVE-2021-3928, CVE-2021-3974, CVE-2021-3984,
+ CVE-2021-4019, CVE-2021-4069, CVE-2021-4192, CVE-2021-4193,
+ CVE-2022-0213, CVE-2022-0261, CVE-2022-0319, CVE-2022-0351,
+ CVE-2022-0359, CVE-2022-0361, CVE-2022-0368, CVE-2022-0408,
+ CVE-2022-0413, CVE-2022-0417, CVE-2022-0443, CVE-2022-0554,
+ CVE-2022-0572, CVE-2022-0685, CVE-2022-0714, CVE-2022-0729,
+ CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720,
+ CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285,
+ CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099,
+ CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705
+ Multiple security vulnerabilities have been discovered in vim, an enhanced
+ vi editor. Buffer overflows, out-of-bounds reads and use-after-free may
+ lead to a denial-of-service (application crash) or other unspecified
+ impact.
+
+ -- Markus Koschany <apo@debian.org> Tue, 08 Nov 2022 13:53:29 +0100
+
vim (2:8.1.0875-5+deb10u2) buster; urgency=medium
* Revert unintentional inclusion of v8.2.3489, which is only relevant to Vim
diff --git a/debian/patches/CVE-2021-3872.patch b/debian/patches/CVE-2021-3872.patch
new file mode 100644
index 0000000..ad1ffc3
--- /dev/null
+++ b/debian/patches/CVE-2021-3872.patch
@@ -0,0 +1,64 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 18:47:02 +0200
+Subject: CVE-2021-3872
+
+Origin: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
+---
+ src/screen.c | 10 +++++-----
+ src/testdir/test_statusline.vim | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/src/screen.c
++++ b/src/screen.c
+@@ -6887,13 +6887,13 @@ win_redr_status(win_T *wp, int ignore_pu
+ *(p + len++) = ' ';
+ if (bt_help(wp->w_buffer))
+ {
+- STRCPY(p + len, _("[Help]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ len += (int)STRLEN(p + len);
+ }
+ #ifdef FEAT_QUICKFIX
+ if (wp->w_p_pvw)
+ {
+- STRCPY(p + len, _("[Preview]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ len += (int)STRLEN(p + len);
+ }
+ #endif
+@@ -6903,12 +6903,12 @@ win_redr_status(win_T *wp, int ignore_pu
+ #endif
+ )
+ {
+- STRCPY(p + len, "[+]");
+- len += 3;
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++ len += (int)STRLEN(p + len);
+ }
+ if (wp->w_buffer->b_p_ro)
+ {
+- STRCPY(p + len, _("[RO]"));
++ vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ len += (int)STRLEN(p + len);
+ }
+
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -341,3 +341,17 @@ func Test_statusline()
+ set laststatus&
+ set splitbelow&
+ endfunc
++
++
++" CVE-2021-3872
++" Used to write beyond allocated memory. This assumes MAXPATHL is 4096 bytes.
++function Test_statusline_verylong_filename()
++ let fname = repeat('x', 4090)
++ exe "new " . fname
++ set buftype=help
++ set previewwindow
++ redraw
++ bwipe!
++endfunc
++
++
diff --git a/debian/patches/CVE-2021-3927.patch b/debian/patches/CVE-2021-3927.patch
new file mode 100644
index 0000000..592f425
--- /dev/null
+++ b/debian/patches/CVE-2021-3927.patch
@@ -0,0 +1,36 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:13:54 +0200
+Subject: CVE-2021-3927
+
+Origin: https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e
+---
+ src/ex_docmd.c | 1 +
+ src/testdir/test_put.vim | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -9487,6 +9487,7 @@ ex_put(exarg_T *eap)
+ eap->forceit = TRUE;
+ }
+ curwin->w_cursor.lnum = eap->line2;
++ check_cursor_col();
+ do_put(eap->regname, eap->forceit ? BACKWARD : FORWARD, 1L,
+ PUT_LINE|PUT_CURSLINE);
+ }
+--- a/src/testdir/test_put.vim
++++ b/src/testdir/test_put.vim
+@@ -101,3 +101,13 @@ func Test_put_p_errmsg_nodup()
+ delfunction Capture_p_error
+ bwipeout!
+ endfunc
++
++func Test_put_above_first_line()
++ new
++ let @" = 'text'
++ silent! normal 0o00
++ 0put
++ call assert_equal('text', getline(1))
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2021-3928.patch b/debian/patches/CVE-2021-3928.patch
new file mode 100644
index 0000000..f7e1764
--- /dev/null
+++ b/debian/patches/CVE-2021-3928.patch
@@ -0,0 +1,40 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:21:36 +0200
+Subject: CVE-2021-3928
+
+Origin: https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732
+---
+ src/spell.c | 2 +-
+ src/testdir/test_spell.vim | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -4616,7 +4616,7 @@ suggest_trie_walk(
+ * char, e.g., "thes," -> "these". */
+ p = fword + sp->ts_fidx;
+ MB_PTR_BACK(fword, p);
+- if (!spell_iswordp(p, curwin))
++ if (!spell_iswordp(p, curwin) && *preword != NUL)
+ {
+ p = preword + STRLEN(preword);
+ MB_PTR_BACK(preword, p);
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -436,6 +436,16 @@ func RunGoodBad(good, bad, expected_word
+ bwipe!
+ endfunc
+
++func Test_spell_single_word()
++ set spell
++ new
++ silent! norm 0R00
++ spell! ßÂ
++ silent 0norm 0r$ Dvz=
++ set nospell
++ bwipe!
++endfunc
++
+ let g:test_data_aff1 = [
+ \"SET ISO8859-1",
+ \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
diff --git a/debian/patches/CVE-2021-3974.patch b/debian/patches/CVE-2021-3974.patch
new file mode 100644
index 0000000..331ecee
--- /dev/null
+++ b/debian/patches/CVE-2021-3974.patch
@@ -0,0 +1,56 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:33:45 +0200
+Subject: CVE-2021-3974
+
+Origin: https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
+---
+ src/regexp.c | 2 +-
+ src/regexp_nfa.c | 8 ++++++++
+ src/testdir/test_regexp_latin.vim | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -3474,7 +3474,7 @@ typedef struct {
+ // The current match-position is stord in these variables:
+ linenr_T lnum; // line number, relative to first line
+ char_u *line; // start of current line
+- char_u *input; // current input, points into "regline"
++ char_u *input; // current input, points into "line"
+
+ int need_clear_subexpr; // subexpressions still need to be cleared
+ #ifdef FEAT_SYN_HL
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -6570,8 +6570,16 @@ nfa_regmatch(
+ case NFA_MARK_GT:
+ case NFA_MARK_LT:
+ {
++ size_t col = rex.input - rex.line;
+ pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, FALSE);
+
++ // Line may have been freed, get it again.
++ if (REG_MULTI)
++ {
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++ }
++
+ /* Compare the mark position to the match position. */
+ result = (pos != NULL /* mark doesn't exist */
+ && pos->lnum > 0 /* mark isn't set in reg_buf */
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -84,3 +84,12 @@ func Test_multi_failure()
+ call assert_fails('/a\{a}', 'E870:')
+ set re=0
+ endfunc
++
++func Test_using_mark_position()
++ " this was using freed memory
++ new
++ norm O0
++ call assert_fails("s/\\%')", 'E486:')
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2021-3984.patch b/debian/patches/CVE-2021-3984.patch
new file mode 100644
index 0000000..45589c5
--- /dev/null
+++ b/debian/patches/CVE-2021-3984.patch
@@ -0,0 +1,55 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:41:33 +0200
+Subject: CVE-2021-3984
+
+Origin: https://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655
+---
+ src/indent.c | 10 +++++-----
+ src/testdir/test_cindent.vim | 12 ++++++++++++
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -1551,10 +1551,10 @@ cin_skip2pos(pos_T *trypos)
+ static pos_T *
+ find_start_brace(void) // XXX
+ {
+- pos_T cursor_save;
+- pos_T *trypos;
+- pos_T *pos;
+- static pos_T pos_copy;
++ pos_T cursor_save;
++ pos_T *trypos;
++ pos_T *pos;
++ static pos_T pos_copy;
+
+ cursor_save = curwin->w_cursor;
+ while ((trypos = findmatchlimit(NULL, '{', FM_BLOCKSTOP, 0)) != NULL)
+@@ -1568,7 +1568,7 @@ find_start_brace(void) // XXX
+ && (pos = ind_find_start_CORS(NULL)) == NULL) // XXX
+ break;
+ if (pos != NULL)
+- curwin->w_cursor.lnum = pos->lnum;
++ curwin->w_cursor = *pos;
+ }
+ curwin->w_cursor = cursor_save;
+ return trypos;
+--- a/src/testdir/test_cindent.vim
++++ b/src/testdir/test_cindent.vim
+@@ -102,4 +102,16 @@ func Test_cindent_expr()
+ bw!
+ endfunc
+
++func Test_find_brace_backwards()
++ " this was looking beyond the end of the line
++ new
++ norm R/*
++ norm o0{
++ norm o//
++ norm V{=
++ call assert_equal(['/*', ' 0{', '//'], getline(1, 3))
++ bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/debian/patches/CVE-2021-4019.patch b/debian/patches/CVE-2021-4019.patch
new file mode 100644
index 0000000..bf0f8ab
--- /dev/null
+++ b/debian/patches/CVE-2021-4019.patch
@@ -0,0 +1,38 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:50:16 +0200
+Subject: CVE-2021-4019
+
+Origin: https://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142
+---
+ src/ex_cmds.c | 3 +--
+ src/testdir/test_help.vim | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -6658,8 +6658,7 @@ find_help_tags(
+ || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
+ && arg[2] != NUL)))
+ {
+- STRCPY(d, "/\\\\");
+- STRCPY(d + 3, arg + 1);
++ vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
+ /* Check for "/\\_$", should be "/\\_\$" */
+ if (d[3] == '_' && d[4] == '$')
+ STRCPY(d + 4, "\\$");
+--- a/src/testdir/test_help.vim
++++ b/src/testdir/test_help.vim
+@@ -49,3 +49,13 @@ func Test_help_local_additions()
+ call delete('Xruntime', 'rf')
+ let &rtp = rtp_save
+ endfunc
++
++" CVE-2021-4019
++func Test_help_long_argument()
++ try
++ exe 'help \%' .. repeat('0', 1021)
++ catch
++ call assert_match("E15:", v:exception)
++ endtry
++endfunc
++
diff --git a/debian/patches/CVE-2021-4069.patch b/debian/patches/CVE-2021-4069.patch
new file mode 100644
index 0000000..ad21727
--- /dev/null
+++ b/debian/patches/CVE-2021-4069.patch
@@ -0,0 +1,52 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 19:53:49 +0200
+Subject: CVE-2021-4069
+
+Origin: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9
+---
+ src/ex_docmd.c | 10 +++++++---
+ src/testdir/test_ex_equal.vim | 13 +++++++++++++
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -8659,13 +8659,17 @@ ex_open(exarg_T *eap)
+ regmatch.regprog = vim_regcomp(eap->arg, p_magic ? RE_MAGIC : 0);
+ if (regmatch.regprog != NULL)
+ {
++ // make a copy of the line, when searching for a mark it might be
++ // flushed
++ char_u *line = vim_strsave(ml_get_curline());
++
+ regmatch.rm_ic = p_ic;
+- p = ml_get_curline();
+- if (vim_regexec(&regmatch, p, (colnr_T)0))
+- curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - p);
++ if (vim_regexec(&regmatch, line, (colnr_T)0))
++ curwin->w_cursor.col = (colnr_T)(regmatch.startp[0] - line);
+ else
+ emsg(_(e_nomatch));
+ vim_regfree(regmatch.regprog);
++ vim_free(line);
+ }
+ /* Move to the NUL, ignore any other arguments. */
+ eap->arg += STRLEN(eap->arg);
+--- a/src/testdir/test_ex_equal.vim
++++ b/src/testdir/test_ex_equal.vim
+@@ -30,3 +30,16 @@ func Test_ex_equal()
+
+ bwipe!
+ endfunc
++
++func Test_open_command_flush_line()
++ " this was accessing freed memory: the regexp match uses a pointer to the
++ " current line which becomes invalid when searching for the ') mark.
++ new
++ call setline(1, ['one', 'two. three'])
++ s/one/ONE
++ try
++ open /\%')/
++ catch /E479/
++ endtry
++ bwipe!
++endfunc
diff --git a/debian/patches/CVE-2021-4192.patch b/debian/patches/CVE-2021-4192.patch
new file mode 100644
index 0000000..eccc96b
--- /dev/null
+++ b/debian/patches/CVE-2021-4192.patch
@@ -0,0 +1,51 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 20:01:41 +0200
+Subject: CVE-2021-4192
+
+Origin: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
+---
+ src/regexp.c | 9 +++++++--
+ src/testdir/test_regexp_latin.vim | 8 ++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -4112,9 +4112,9 @@ reg_match_visual(void)
+ if (lnum < top.lnum || lnum > bot.lnum)
+ return FALSE;
+
++ col = (colnr_T)(rex.input - rex.line);
+ if (mode == 'v')
+ {
+- col = (colnr_T)(rex.input - rex.line);
+ if ((lnum == top.lnum && col < top.col)
+ || (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ return FALSE;
+@@ -4129,7 +4129,12 @@ reg_match_visual(void)
+ end = end2;
+ if (top.col == MAXCOL || bot.col == MAXCOL)
+ end = MAXCOL;
+- cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
++
++ // getvvcol() flushes rex.line, need to get it again
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++
++ cols = win_linetabsize(wp, rex.line, col);
+ if (cols < start || cols > end - (*p_sel == 'e'))
+ return FALSE;
+ }
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -93,3 +93,11 @@ func Test_using_mark_position()
+ bwipe!
+ endfunc
+
++func Test_using_visual_position()
++ " this was using freed memory
++ new
++ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
++ /\%V
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2021-4193.patch b/debian/patches/CVE-2021-4193.patch
new file mode 100644
index 0000000..564850b
--- /dev/null
+++ b/debian/patches/CVE-2021-4193.patch
@@ -0,0 +1,46 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 20:05:49 +0200
+Subject: CVE-2021-4193
+
+Origin: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b
+---
+ src/charset.c | 13 +++++++++----
+ src/testdir/test_regexp_latin.vim | 8 ++++++++
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/src/charset.c
++++ b/src/charset.c
+@@ -1244,10 +1244,15 @@ getvcol(
+ posptr = NULL; /* continue until the NUL */
+ else
+ {
+- /* Special check for an empty line, which can happen on exit, when
+- * ml_get_buf() always returns an empty string. */
+- if (*ptr == NUL)
+- pos->col = 0;
++ colnr_T i;
++
++ // In a few cases the position can be beyond the end of the line.
++ for (i = 0; i < pos->col; ++i)
++ if (ptr[i] == NUL)
++ {
++ pos->col = i;
++ break;
++ }
+ posptr = ptr + pos->col;
+ if (has_mbyte)
+ /* always start on the first byte */
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -101,3 +101,11 @@ func Test_using_visual_position()
+ bwipe!
+ endfunc
+
++func Test_using_invalid_visual_position()
++ " this was going beyond the end of the line
++ new
++ exe "norm 0o000\<Esc>0\<C-V>$s0"
++ /\%V
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2022-0213.patch b/debian/patches/CVE-2022-0213.patch
new file mode 100644
index 0000000..bb1c91b
--- /dev/null
+++ b/debian/patches/CVE-2022-0213.patch
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 16:01:20 +0200
+Subject: CVE-2022-0213
+
+Origin: https://github.com/vim/vim/commit/de05bb25733c3319e18dca44e9b59c6ee389eb26
+---
+ src/screen.c | 3 ++-
+ src/testdir/test_edit.vim | 14 ++++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+--- a/src/screen.c
++++ b/src/screen.c
+@@ -6878,12 +6878,13 @@ win_redr_status(win_T *wp, int ignore_pu
+ p = NameBuff;
+ len = (int)STRLEN(p);
+
+- if (bt_help(wp->w_buffer)
++ if ((bt_help(wp->w_buffer)
+ #ifdef FEAT_QUICKFIX
+ || wp->w_p_pvw
+ #endif
+ || bufIsChanged(wp->w_buffer)
+ || wp->w_buffer->b_p_ro)
++ && len < MAXPATHL - 1)
+ *(p + len++) = ' ';
+ if (bt_help(wp->w_buffer))
+ {
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1449,4 +1449,18 @@ func Test_edit_put_CTRL_E()
+ set encoding=utf-8
+ endfunc
+
++" CVE-2022-0213
++func Test_edit_overlong_file_name()
++
++ file 0000000000000000000000000000
++ file %%%%%%%%%%%%%%%%%%%%%%%%%%
++ file %%%%%%
++ set readonly
++ set ls=2
++
++ redraw!
++ set noreadonly ls&
++ bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/debian/patches/CVE-2022-0261.patch b/debian/patches/CVE-2022-0261.patch
new file mode 100644
index 0000000..c1a9026
--- /dev/null
+++ b/debian/patches/CVE-2022-0261.patch
@@ -0,0 +1,112 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 16:31:29 +0200
+Subject: CVE-2022-0261
+
+Origin: https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc
+---
+ src/ops.c | 41 ++++++++++++++++++++++++++---------------
+ src/testdir/test_visual.vim | 10 ++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 38 insertions(+), 15 deletions(-)
+
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -636,22 +636,26 @@ block_insert(
+ if (b_insert)
+ {
+ off = (*mb_head_off)(oldp, oldp + offset + spaces);
++ spaces -= off;
++ count -= off;
+ }
+ else
+ {
+- off = (*mb_off_next)(oldp, oldp + offset);
+- offset += off;
++ // spaces fill the gap, the character that's at the edge moves
++ // right
++ off = (*mb_head_off)(oldp, oldp + offset);
++ offset -= off;
+ }
+- spaces -= off;
+- count -= off;
+ }
+-
+- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1);
++ // Make sure the allocated size matches what is actually copied below.
++ newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
++ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
++ + count + 1);
+ if (newp == NULL)
+ continue;
+
+ /* copy up to shifted part */
+- mch_memmove(newp, oldp, (size_t)(offset));
++ mch_memmove(newp, oldp, (size_t)offset);
+ oldp += offset;
+
+ /* insert pre-padding */
+@@ -661,14 +665,21 @@ block_insert(
+ mch_memmove(newp + offset + spaces, s, (size_t)s_len);
+ offset += s_len;
+
+- if (spaces && !bdp->is_short)
++ if (spaces > 0 && !bdp->is_short)
+ {
+- /* insert post-padding */
+- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces));
+- /* We're splitting a TAB, don't copy it. */
+- oldp++;
+- /* We allowed for that TAB, remember this now */
+- count++;
++ if (*oldp == TAB)
++ {
++ // insert post-padding
++ vim_memset(newp + offset + spaces, ' ',
++ (size_t)(p_ts - spaces));
++ // we're splitting a TAB, don't copy it
++ oldp++;
++ // We allowed for that TAB, remember this now
++ count++;
++ }
++ else
++ // Not a TAB, no extra spaces
++ count = spaces;
+ }
+
+ if (spaces > 0)
+@@ -2702,7 +2713,7 @@ op_insert(oparg_T *oap, long count1)
+ oap->start_vcol = t;
+ }
+ else if (oap->op_type == OP_APPEND
+- && oap->end.col + oap->end.coladd
++ && oap->start.col + oap->start.coladd
+ >= curbuf->b_op_start_orig.col
+ + curbuf->b_op_start_orig.coladd)
+ {
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -397,3 +397,13 @@ func Test_Visual_paragraph_textobject()
+
+ bwipe!
+ endfunc
++
++func Test_visual_block_append_invalid_char()
++ " this was going over the end of the line
++ new
++ call setline(1, [' let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++ exe "normal 0\<C-V>jjA-\<Esc>"
++ call assert_equal([' - let xxx', 'xxxxx -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++ bwipe!
++endfunc
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -792,6 +792,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 4120,
++/**/
+ 1401,
+ /**/
+ 1382,
diff --git a/debian/patches/CVE-2022-0319.patch b/debian/patches/CVE-2022-0319.patch
new file mode 100644
index 0000000..f8c0add
--- /dev/null
+++ b/debian/patches/CVE-2022-0319.patch
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 17:11:51 +0200
+Subject: CVE-2022-0319
+
+Origin: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9
+---
+ src/testdir/test_visual.vim | 10 ++++++++++
+ src/window.c | 5 +++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index afeb4da..0841952 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -3,6 +3,16 @@ if !has('visual')
+ finish
+ endif
+
++" this was causing an ml_get error
++func Test_visual_exchange_windows()
++ enew!
++ new
++ call setline(1, ['foo', 'bar'])
++ exe "normal G\<C-V>gg\<C-W>\<C-X>OO\<Esc>"
++ bwipe!
++ bwipe!
++endfunc
++
+
+ func Test_block_shift_multibyte()
+ " Uses double-wide character.
+diff --git a/src/window.c b/src/window.c
+index f78fcca..7c7f580 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -1576,6 +1576,11 @@ win_exchange(long Prenum)
+
+ (void)win_comp_pos(); /* recompute window positions */
+
++ if (wp->w_buffer != curbuf)
++ reset_VIsual_and_resel();
++ else if (VIsual_active)
++ wp->w_cursor = curwin->w_cursor;
++
+ win_enter(wp, TRUE);
+ redraw_all_later(NOT_VALID);
+ }
diff --git a/debian/patches/CVE-2022-0351.patch b/debian/patches/CVE-2022-0351.patch
new file mode 100644
index 0000000..59d38ae
--- /dev/null
+++ b/debian/patches/CVE-2022-0351.patch
@@ -0,0 +1,58 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 17:18:10 +0200
+Subject: CVE-2022-0351
+
+Origin: https://github.com/vim/vim/commit/fe6fb267e6ee5c5da2f41889e4e0e0ac5bf4b89d
+---
+ src/eval.c | 10 ++++++++++
+ src/testdir/test_eval_stuff.vim | 5 +++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 3f9db7d..00c73a6 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -4159,6 +4159,7 @@ eval7(
+ char_u *start_leader, *end_leader;
+ int ret = OK;
+ char_u *alias;
++ static int recurse = 0;
+
+ /*
+ * Initialise variable so that clear_tv() can't mistake this for a
+@@ -4174,6 +4175,14 @@ eval7(
+ *arg = skipwhite(*arg + 1);
+ end_leader = *arg;
+
++ // Limit recursion to 1000 levels. At least at 10000 we run out of stack
++ // and crash.
++ if (recurse == 1000)
++ {
++ return FAIL;
++ }
++ ++recurse;
++
+ switch (**arg)
+ {
+ /*
+@@ -4481,6 +4490,7 @@ eval7(
+ }
+ }
+
++ --recurse;
+ return ret;
+ }
+
+diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
+index f4b3598..6c48c48 100644
+--- a/src/testdir/test_eval_stuff.vim
++++ b/src/testdir/test_eval_stuff.vim
+@@ -94,3 +94,8 @@ func Test_let_errmsg()
+ call assert_fails('let v:errmsg = []', 'E730:')
+ let v:errmsg = ''
+ endfunc
++
++func Test_deep_recursion()
++ " this was running out of stack
++ call assert_fails("exe 'if ' . repeat('(', 1002)")
++endfunc
diff --git a/debian/patches/CVE-2022-0359.patch b/debian/patches/CVE-2022-0359.patch
new file mode 100644
index 0000000..e2b8ff3
--- /dev/null
+++ b/debian/patches/CVE-2022-0359.patch
@@ -0,0 +1,54 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 23 Oct 2022 17:28:12 +0200
+Subject: CVE-2022-0359
+
+Origin: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6cb1
+---
+ src/ex_getln.c | 2 +-
+ src/testdir/test_ex_equal.vim | 9 +++++++++
+ src/version.c | 2 ++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index cba082a..328450c 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -898,7 +898,7 @@ getcmdline_int(
+ ccline.cmdindent = (firstc > 0 ? indent : 0);
+
+ /* alloc initial ccline.cmdbuff */
+- alloc_cmdbuff(exmode_active ? 250 : indent + 1);
++ alloc_cmdbuff(indent + 50);
+ if (ccline.cmdbuff == NULL)
+ goto theend; // out of memory
+ ccline.cmdlen = ccline.cmdpos = 0;
+diff --git a/src/testdir/test_ex_equal.vim b/src/testdir/test_ex_equal.vim
+index 03cfc46..fa00072 100644
+--- a/src/testdir/test_ex_equal.vim
++++ b/src/testdir/test_ex_equal.vim
+@@ -43,3 +43,12 @@ func Test_open_command_flush_line()
+ endtry
+ bwipe!
+ endfunc
++
++func Test_ex_mode_large_indent()
++ new
++ set ts=500 ai
++ call setline(1, "\t")
++ exe "normal gQi\<CR>."
++ set ts=8 noai
++ bwipe!
++endfunc
+diff --git a/src/version.c b/src/version.c
+index 0a29ebb..586e9ca 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 4214,
+ /**/
+ 4120,
+ /**/
diff --git a/debian/patches/CVE-2022-0361.patch b/debian/patches/CVE-2022-0361.patch
new file mode 100644
index 0000000..d1354ed
--- /dev/null
+++ b/debian/patches/CVE-2022-0361.patch
@@ -0,0 +1,42 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 24 Oct 2022 00:58:11 +0200
+Subject: CVE-2022-0361
+
+Origin: https://github.com/vim/vim/commit/dc5490e2cbc8c16022a23b449b48c1bd0083f366
+---
+ src/ex_cmds.c | 2 ++
+ src/testdir/test_visual.vim | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 0b732c2..b18f58c 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -1074,6 +1074,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n)
+ }
+
+ appended_lines_mark(n, count);
++ if (VIsual_active)
++ check_pos(curbuf, &VIsual);
+
+ msgmore((long)count);
+ }
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index 0841952..e361f97 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -417,3 +417,14 @@ func Test_visual_block_append_invalid_char()
+ bwipe!
+ endfunc
+
++" CVE-2022-0361
++func Test_visual_ex_copy_line()
++ new
++ call setline(1, ["aaa", "bbbbbbbbbxbb"])
++ /x
++ exe "normal ggvjfxO"
++ t0
++ normal gNU
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2022-0368.patch b/debian/patches/CVE-2022-0368.patch
new file mode 100644
index 0000000..23b8f91
--- /dev/null
+++ b/debian/patches/CVE-2022-0368.patch
@@ -0,0 +1,45 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 24 Oct 2022 00:59:40 +0200
+Subject: CVE-2022-0368
+
+Origin: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa
+---
+ src/testdir/test_visual.vim | 14 ++++++++++++++
+ src/undo.c | 2 ++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index e361f97..1454877 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -428,3 +428,17 @@ func Test_visual_ex_copy_line()
+ bwipe!
+ endfunc
+
++" CVE-2022-0368
++func Test_visual_undo_deletes_last_line()
++ new
++ call setline(1, ["aaa", "ccc", "dyd"])
++ set undolevels=100
++ exe "normal obbbbbbbbbxbb\<Esc>"
++ set undolevels=100
++ /y
++ exe "normal ggvjfxO"
++ undo
++ normal gNU
++ bwipe!
++endfunc
++
+diff --git a/src/undo.c b/src/undo.c
+index 6b6dd47..6da9c1a 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -2965,6 +2965,8 @@ u_undo_end(
+ }
+ }
+ #endif
++ if (VIsual_active)
++ check_pos(curbuf, &VIsual);
+
+ smsg_attr_keep(0, _("%ld %s; %s #%ld %s"),
+ u_oldcount < 0 ? -u_oldcount : u_oldcount,
diff --git a/debian/patches/CVE-2022-0408.patch b/debian/patches/CVE-2022-0408.patch
new file mode 100644
index 0000000..dc496c3
--- /dev/null
+++ b/debian/patches/CVE-2022-0408.patch
@@ -0,0 +1,87 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 26 Oct 2022 23:16:08 +0200
+Subject: CVE-2022-0408
+
+Origin: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f31
+---
+ src/spell.c | 17 +++++++++++++++--
+ src/testdir/test_spell.vim | 10 ++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index 05756eb..758a12e 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -4191,7 +4191,7 @@ suggest_try_change(suginfo_T *su)
+
+ /* Check the maximum score, if we go over it we won't try this change. */
+ #define TRY_DEEPER(su, stack, depth, add) \
+- (stack[depth].ts_score + (add) < su->su_maxscore)
++ (depth < MAXWLEN && stack[depth].ts_score + (add) < su->su_maxscore)
+
+ /*
+ * Try finding suggestions by adding/removing/swapping letters.
+@@ -4263,6 +4263,9 @@ suggest_trie_walk(
+ char_u changename[MAXWLEN][80];
+ #endif
+ int breakcheckcount = 1000;
++#ifdef FEAT_RELTIME
++ proftime_T time_limit;
++#endif
+ int compound_ok;
+
+ /*
+@@ -4311,6 +4314,11 @@ suggest_trie_walk(
+ sp->ts_state = STATE_START;
+ }
+ }
++#ifdef FEAT_RELTIME
++ // The loop may take an indefinite amount of time. Break out after five
++ // sectonds. TODO: add an option for the time limit.
++ profile_setlimit(5000, &time_limit);
++#endif
+
+ /*
+ * Loop to find all suggestions. At each round we either:
+@@ -4349,7 +4357,8 @@ suggest_trie_walk(
+
+ /* At end of a prefix or at start of prefixtree: check for
+ * following word. */
+- if (byts[arridx] == 0 || n == (int)STATE_NOPREFIX)
++ if (depth < MAXWLEN
++ && (byts[arridx] == 0 || n == (int)STATE_NOPREFIX))
+ {
+ /* Set su->su_badflags to the caps type at this position.
+ * Use the caps type until here for the prefix itself. */
+@@ -5656,6 +5665,10 @@ suggest_trie_walk(
+ {
+ ui_breakcheck();
+ breakcheckcount = 1000;
++#ifdef FEAT_RELTIME
++ if (profile_passed_limit(&time_limit))
++ got_int = TRUE;
++#endif
+ }
+ }
+ }
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index 6fccc0e..0a7d8d4 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -388,6 +388,16 @@ func Test_zeq_crash()
+ bwipe!
+ endfunc
+
++func Test_spellsuggest_too_deep()
++ " This was incrementing "depth" over MAXWLEN.
++ new
++ set spell
++ norm s000G00ý000000000000
++ sil norm ..vzG................vvzG0 v z=
++ set nospell
++ bwipe!
++endfunc
++
+ func LoadAffAndDic(aff_contents, dic_contents)
+ set enc=latin1
+ set spellfile=
diff --git a/debian/patches/CVE-2022-0413.patch b/debian/patches/CVE-2022-0413.patch
new file mode 100644
index 0000000..f3daa2e
--- /dev/null
+++ b/debian/patches/CVE-2022-0413.patch
@@ -0,0 +1,80 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 26 Oct 2022 23:24:00 +0200
+Subject: CVE-2022-0413
+
+Origin: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e51a
+---
+ src/ex_cmds.c | 19 +++++++++++++++----
+ src/testdir/test_substitute.vim | 17 +++++++++++++++++
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index b18f58c..5ad8913 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -4857,6 +4857,7 @@ do_sub(exarg_T *eap)
+ int save_do_all; /* remember user specified 'g' flag */
+ int save_do_ask; /* remember user specified 'c' flag */
+ char_u *pat = NULL, *sub = NULL; /* init for GCC */
++ char_u *sub_copy = NULL;
+ int delimiter;
+ int sublen;
+ int got_quit = FALSE;
+@@ -5152,11 +5153,20 @@ do_sub(exarg_T *eap)
+ sub_firstline = NULL;
+
+ /*
+- * ~ in the substitute pattern is replaced with the old pattern.
+- * We do it here once to avoid it to be replaced over and over again.
+- * But don't do it when it starts with "\=", then it's an expression.
++ * If the substitute pattern starts with "\=" then it's an expression.
++ * Make a copy, a recursive function may free it.
++ * Otherwise, '~' in the substitute pattern is replaced with the old
++ * pattern. We do it here once to avoid it to be replaced over and over
++ * again.
+ */
+- if (!(sub[0] == '\\' && sub[1] == '='))
++ if (sub[0] == '\\' && sub[1] == '=')
++ {
++ sub = vim_strsave(sub);
++ if (sub == NULL)
++ return;
++ sub_copy = sub;
++ }
++ else
+ sub = regtilde(sub, p_magic);
+
+ /*
+@@ -5925,6 +5935,7 @@ outofmem:
+ #endif
+
+ vim_regfree(regmatch.regprog);
++ vim_free(sub_copy);
+
+ /* Restore the flag values, they can be used for ":&&". */
+ subflags.do_all = save_do_all;
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index d84daa7..c1e8f30 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -500,3 +500,20 @@ func Test_sub_cmd_8()
+ enew!
+ set titlestring&
+ endfunc
++
++" This was using "old_sub" after it was freed.
++func Test_using_old_sub()
++ set compatible maxfuncdepth=10
++ new
++ call setline(1, 'some text.')
++ func Repl()
++ ~
++ s/
++ endfunc
++ silent! s/\%')/\=Repl()
++
++ delfunc Repl
++ bwipe!
++ set nocompatible
++endfunc
++
diff --git a/debian/patches/CVE-2022-0417.patch b/debian/patches/CVE-2022-0417.patch
new file mode 100644
index 0000000..d5a99e0
--- /dev/null
+++ b/debian/patches/CVE-2022-0417.patch
@@ -0,0 +1,88 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 26 Oct 2022 23:26:57 +0200
+Subject: CVE-2022-0417
+
+Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f5557a
+---
+ src/option.c | 16 +++++++++-------
+ src/testdir/test_options.vim | 2 ++
+ src/vim.h | 2 ++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index 12d903f..f7643eb 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -9371,6 +9371,11 @@ set_num_option(
+ errmsg = e_positive;
+ curbuf->b_p_ts = 8;
+ }
++ else if (curbuf->b_p_ts > TABSTOP_MAX)
++ {
++ errmsg = e_invarg;
++ curbuf->b_p_ts = 8;
++ }
+ if (p_tm < 0)
+ {
+ errmsg = e_positive;
+@@ -11397,7 +11402,7 @@ buf_copy_options(buf_T *buf, int flags)
+ if (p_vsts && p_vsts != empty_option)
+ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ else
+- buf->b_p_vsts_array = 0;
++ buf->b_p_vsts_array = NULL;
+ buf->b_p_vsts_nopaste = p_vsts_nopaste
+ ? vim_strsave(p_vsts_nopaste) : NULL;
+ #endif
+@@ -12384,9 +12389,7 @@ paste_option_changed(void)
+ if (buf->b_p_vsts)
+ free_string_option(buf->b_p_vsts);
+ buf->b_p_vsts = empty_option;
+- if (buf->b_p_vsts_array)
+- vim_free(buf->b_p_vsts_array);
+- buf->b_p_vsts_array = 0;
++ VIM_CLEAR(buf->b_p_vsts_array);
+ #endif
+ }
+
+@@ -12432,12 +12435,11 @@ paste_option_changed(void)
+ free_string_option(buf->b_p_vsts);
+ buf->b_p_vsts = buf->b_p_vsts_nopaste
+ ? vim_strsave(buf->b_p_vsts_nopaste) : empty_option;
+- if (buf->b_p_vsts_array)
+- vim_free(buf->b_p_vsts_array);
++ vim_free(buf->b_p_vsts_array);
+ if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ else
+- buf->b_p_vsts_array = 0;
++ buf->b_p_vsts_array = NULL;
+ #endif
+ }
+
+diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
+index 83b315d..50aae7c 100644
+--- a/src/testdir/test_options.vim
++++ b/src/testdir/test_options.vim
+@@ -234,6 +234,8 @@ func Test_set_errors()
+ call assert_fails('set shiftwidth=-1', 'E487:')
+ call assert_fails('set sidescroll=-1', 'E487:')
+ call assert_fails('set tabstop=-1', 'E487:')
++ call assert_fails('set tabstop=10000', 'E474:')
++ call assert_fails('set tabstop=5500000000', 'E474:')
+ call assert_fails('set textwidth=-1', 'E487:')
+ call assert_fails('set timeoutlen=-1', 'E487:')
+ call assert_fails('set updatecount=-1', 'E487:')
+diff --git a/src/vim.h b/src/vim.h
+index 7ee164a..dfc96bc 100644
+--- a/src/vim.h
++++ b/src/vim.h
+@@ -1988,6 +1988,8 @@ typedef int sock_T;
+ #define VAR_TYPE_CHANNEL 9
+ #define VAR_TYPE_BLOB 10
+
++#define TABSTOP_MAX 9999
++
+ #ifdef FEAT_CLIPBOARD
+
+ /* VIM_ATOM_NAME is the older Vim-specific selection type for X11. Still
diff --git a/debian/patches/CVE-2022-0443.patch b/debian/patches/CVE-2022-0443.patch
new file mode 100644
index 0000000..fdf2329
--- /dev/null
+++ b/debian/patches/CVE-2022-0443.patch
@@ -0,0 +1,79 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 20:10:52 +0100
+Subject: CVE-2022-0443
+
+Origin: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d461
+---
+ src/buffer.c | 15 ++++++++++-----
+ src/testdir/test_quickfix.vim | 16 ++++++++++++++++
+ 2 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 590a63c..4cac106 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1627,6 +1627,7 @@ set_curbuf(buf_T *buf, int action)
+ #endif
+ bufref_T newbufref;
+ bufref_T prevbufref;
++ int valid;
+
+ setpcmark();
+ if (!cmdmod.keepalt)
+@@ -1679,13 +1680,19 @@ set_curbuf(buf_T *buf, int action)
+ /* An autocommand may have deleted "buf", already entered it (e.g., when
+ * it did ":bunload") or aborted the script processing.
+ * If curwin->w_buffer is null, enter_buffer() will make it valid again */
+- if ((buf_valid(buf) && buf != curbuf
++ valid = buf_valid(buf);
++ if ((valid && buf != curbuf
+ #ifdef FEAT_EVAL
+ && !aborting()
+ #endif
+ ) || curwin->w_buffer == NULL)
+ {
+- enter_buffer(buf);
++ // If the buffer is not valid but curwin->w_buffer is NULL we must
++ // enter some buffer. Using the last one is hopefully OK.
++ if (!valid)
++ enter_buffer(lastbuf);
++ else
++ enter_buffer(buf);
+ #ifdef FEAT_SYN_HL
+ if (old_tw != curbuf->b_p_tw)
+ check_colorcolumn(curwin);
+@@ -2166,9 +2173,7 @@ free_buf_options(
+ if (buf->b_p_vsts_nopaste)
+ vim_free(buf->b_p_vsts_nopaste);
+ buf->b_p_vsts_nopaste = NULL;
+- if (buf->b_p_vsts_array)
+- vim_free(buf->b_p_vsts_array);
+- buf->b_p_vsts_array = NULL;
++ VIM_CLEAR(buf->b_p_vsts_array);
+ clear_string_option(&buf->b_p_vts);
+ VIM_CLEAR(buf->b_p_vts_array);
+ #endif
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index e7aa41e..8668224 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -3899,3 +3899,19 @@ func Test_viscol()
+ set efm&
+ call delete('Xfile1')
+ endfunc
++
++" Weird sequence of commands that caused entering a wiped-out buffer
++func Test_lopen_bwipe()
++ func! R()
++ silent! tab lopen
++ e x
++ silent! lfile
++ endfunc
++
++ cal R()
++ cal R()
++ cal R()
++ bw!
++ delfunc R
++endfunc
++
diff --git a/debian/patches/CVE-2022-0554.patch b/debian/patches/CVE-2022-0554.patch
new file mode 100644
index 0000000..ac5038e
--- /dev/null
+++ b/debian/patches/CVE-2022-0554.patch
@@ -0,0 +1,68 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 20:13:30 +0100
+Subject: CVE-2022-0554
+
+Origin: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8
+---
+ src/buffer.c | 26 ++++++++++++++++++++++----
+ src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+), 4 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 4cac106..912ace9 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -1471,8 +1471,14 @@ do_buffer(
+ buf = buflist_findnr(curwin->w_jumplist[jumpidx].fmark.fnum);
+ if (buf != NULL)
+ {
+- if (buf == curbuf || !buf->b_p_bl)
+- buf = NULL; /* skip current and unlisted bufs */
++ // Skip current and unlisted bufs. Also skip a quickfix
++ // buffer, it might be deleted soon.
++ if (buf == curbuf || !buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ || bt_quickfix(buf)
++#endif
++ )
++ buf = NULL;
+ else if (buf->b_ml.ml_mfp == NULL)
+ {
+ /* skip unloaded buf, but may keep it for later */
+@@ -1509,7 +1515,11 @@ do_buffer(
+ continue;
+ }
+ /* in non-help buffer, try to skip help buffers, and vv */
+- if (buf->b_help == curbuf->b_help && buf->b_p_bl)
++ if (buf->b_help == curbuf->b_help && buf->b_p_bl
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ {
+ if (buf->b_ml.ml_mfp != NULL) /* found loaded buffer */
+ break;
+@@ -1527,7 +1537,11 @@ do_buffer(
+ if (buf == NULL) /* No loaded buffer, find listed one */
+ {
+ FOR_ALL_BUFFERS(buf)
+- if (buf->b_p_bl && buf != curbuf)
++ if (buf->b_p_bl && buf != curbuf
++#if defined(FEAT_QUICKFIX)
++ && !bt_quickfix(buf)
++#endif
++ )
+ break;
+ }
+ if (buf == NULL) /* Still no buffer, just take one */
+@@ -1536,6 +1550,10 @@ do_buffer(
+ buf = curbuf->b_next;
+ else
+ buf = curbuf->b_prev;
++#if defined(FEAT_QUICKFIX)
++ if (bt_quickfix(buf))
++ buf = NULL;
++#endif
+ }
+ }
+
diff --git a/debian/patches/CVE-2022-0572.patch b/debian/patches/CVE-2022-0572.patch
new file mode 100644
index 0000000..0121992
--- /dev/null
+++ b/debian/patches/CVE-2022-0572.patch
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 20:40:53 +0100
+Subject: CVE-2022-0572
+
+Origin: https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f
+---
+ src/ex_cmds.c | 4 ++++
+ src/testdir/test_retab.vim | 19 +++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 5ad8913..b3be24e 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -821,6 +821,10 @@ ex_retab(exarg_T *eap)
+ if (ptr[col] == NUL)
+ break;
+ vcol += chartabsize(ptr + col, (colnr_T)vcol);
++ if (vcol >= MAXCOL)
++ {
++ break;
++ }
+ if (has_mbyte)
+ col += (*mb_ptr2len)(ptr + col);
+ else
diff --git a/debian/patches/CVE-2022-0685.patch b/debian/patches/CVE-2022-0685.patch
new file mode 100644
index 0000000..14e5210
--- /dev/null
+++ b/debian/patches/CVE-2022-0685.patch
@@ -0,0 +1,47 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 20:51:31 +0100
+Subject: CVE-2022-0685
+
+Origin: https://github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f87
+---
+ src/charset.c | 6 ++++++
+ src/proto/charset.pro | 2 +-
+ src/testdir/test_autochdir.vim | 9 +++++++++
+ src/version.c | 2 ++
+ 4 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/charset.c b/src/charset.c
+index 1fbbaee..427686d 100644
+--- a/src/charset.c
++++ b/src/charset.c
+@@ -1672,6 +1672,12 @@ vim_isupper(int c)
+ return isupper(c);
+ }
+
++ int
++vim_isalpha(int c)
++{
++ return vim_islower(c) || vim_isupper(c);
++}
++
+ int
+ vim_toupper(int c)
+ {
+diff --git a/src/proto/charset.pro b/src/proto/charset.pro
+index bb4132f..c078ff6 100644
+--- a/src/proto/charset.pro
++++ b/src/proto/charset.pro
+@@ -48,6 +48,7 @@ int vim_isxdigit(int c);
+ int vim_isbdigit(int c);
+ int vim_islower(int c);
+ int vim_isupper(int c);
++int vim_isalpha(int c);
+ int vim_toupper(int c);
+ int vim_tolower(int c);
+ char_u *skiptowhite(char_u *p);
+@@ -60,5 +61,4 @@ int hexhex2nr(char_u *p);
+ int rem_backslash(char_u *str);
+ void backslash_halve(char_u *p);
+ char_u *backslash_halve_save(char_u *p);
+-void ebcdic2ascii(char_u *buffer, int len);
+ /* vim: set ft=c : */
diff --git a/debian/patches/CVE-2022-0714.patch b/debian/patches/CVE-2022-0714.patch
new file mode 100644
index 0000000..1b86d51
--- /dev/null
+++ b/debian/patches/CVE-2022-0714.patch
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 21:56:04 +0100
+Subject: CVE-2022-0714
+
+Origin: https://github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa
+---
+ src/edit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/edit.c b/src/edit.c
+index eac4803..df84631 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -2113,6 +2113,8 @@ change_indent(
+ new_cursor_col += (*mb_ptr2len)(ptr + new_cursor_col);
+ else
+ ++new_cursor_col;
++ if (ptr[new_cursor_col] == NUL)
++ break;
+ vcol += lbr_chartabsize(ptr, ptr + new_cursor_col, (colnr_T)vcol);
+ }
+ vcol = last_vcol;
diff --git a/debian/patches/CVE-2022-0729.patch b/debian/patches/CVE-2022-0729.patch
new file mode 100644
index 0000000..7333268
--- /dev/null
+++ b/debian/patches/CVE-2022-0729.patch
@@ -0,0 +1,43 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 22:10:14 +0100
+Subject: CVE-2022-0729
+
+Origin: https://github.com/vim/vim/commit/6456fae9ba8e72c74b2c0c499eaf09974604ff30
+---
+ src/regexp.c | 5 +++++
+ src/testdir/test_regexp_utf8.vim | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 6ad928d..33414ce 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -5575,6 +5575,11 @@ regmatch(
+ if (rex.input == rex.line)
+ {
+ /* backup to last char of previous line */
++ if (rex.lnum == 0)
++ {
++ status = RA_NOMATCH;
++ break;
++ }
+ --rex.lnum;
+ rex.line = reg_getline(rex.lnum);
+ /* Just in case regrepeat() didn't count
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 75485dc..378bc21 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -215,4 +215,12 @@ func Test_match_invalid_byte()
+ call delete('Xinvalid')
+ endfunc
+
++func Test_match_too_complicated()
++ set regexpengine=1
++ exe "vsplit \xeb\xdb\x99"
++ silent! buf \&\zs*\zs*0
++ bwipe!
++ set regexpengine=0
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/debian/patches/CVE-2022-0943.patch b/debian/patches/CVE-2022-0943.patch
new file mode 100644
index 0000000..b4870dc
--- /dev/null
+++ b/debian/patches/CVE-2022-0943.patch
@@ -0,0 +1,53 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 22:14:06 +0100
+Subject: CVE-2022-0943
+
+Origin: https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3
+---
+ src/spell.c | 4 ++++
+ src/testdir/test_spell.vim | 17 +++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/src/spell.c b/src/spell.c
+index 758a12e..2d36953 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -3259,6 +3259,10 @@ spell_suggest(int count)
+ curwin->w_cursor.col = VIsual.col;
+ ++badlen;
+ end_visual_mode();
++ // make sure we don't include the NUL at the end of the line
++ line = ml_get_curline();
++ if (badlen > STRLEN(line) - curwin->w_cursor.col)
++ badlen = STRLEN(line) - curwin->w_cursor.col;
+ }
+ /* Find the start of the badly spelled word. */
+ else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index 0a7d8d4..50e2d54 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -126,6 +126,23 @@ func Test_spellreall()
+ bwipe!
+ endfunc
+
++func Test_spellsuggest_visual_end_of_line()
++ set spell
++ let enc_save = &encoding
++ set encoding=iso8859
++
++ " This was reading beyond the end of the line.
++ norm R00000000000
++ sil norm ^V0
++ sil! norm ^Vi00000)
++ sil! norm ^Vi00000)
++ call feedkeys("\<CR>")
++ norm z=
++
++ let &encoding = enc_save
++ set nospell
++endfunc
++
+ func Test_spellinfo()
+ new
+
diff --git a/debian/patches/CVE-2022-1154.patch b/debian/patches/CVE-2022-1154.patch
new file mode 100644
index 0000000..42799a0
--- /dev/null
+++ b/debian/patches/CVE-2022-1154.patch
@@ -0,0 +1,31 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 30 Oct 2022 22:46:37 +0100
+Subject: CVE-2022-1154
+
+Origin: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5
+---
+ src/regexp.c | 8 ++++++++
+ src/testdir/test_regexp_latin.vim | 14 ++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 33414ce..4345df9 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -4322,8 +4322,16 @@ regmatch(
+ int mark = OPERAND(scan)[0];
+ int cmp = OPERAND(scan)[1];
+ pos_T *pos;
++ size_t col = REG_MULTI ? rex.input - rex.line : 0;
+
+ pos = getmark_buf(rex.reg_buf, mark, FALSE);
++ // Line may have been freed, get it again.
++ if (REG_MULTI)
++ {
++ rex.line = reg_getline(rex.lnum);
++ rex.input = rex.line + col;
++ }
++
+ if (pos == NULL /* mark doesn't exist */
+ || pos->lnum <= 0 /* mark isn't set in reg_buf */
+ || (pos->lnum == rex.lnum + rex.reg_firstlnum
diff --git a/debian/patches/CVE-2022-1616.patch b/debian/patches/CVE-2022-1616.patch
new file mode 100644
index 0000000..85a2ed0
--- /dev/null
+++ b/debian/patches/CVE-2022-1616.patch
@@ -0,0 +1,53 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 31 Oct 2022 14:50:16 +0100
+Subject: CVE-2022-1616
+
+Origin: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c
+---
+ src/ex_docmd.c | 4 +++-
+ src/testdir/test_cmdline.vim | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index 1dfa95d..bb8d719 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3116,7 +3116,7 @@ append_command(char_u *cmd)
+
+ STRCAT(IObuff, ": ");
+ d = IObuff + STRLEN(IObuff);
+- while (*s != NUL && d - IObuff < IOSIZE - 7)
++ while (*s != NUL && d - IObuff + 5 < IOSIZE)
+ {
+ if (enc_utf8 ? (s[0] == 0xc2 && s[1] == 0xa0) : *s == 0xa0)
+ {
+@@ -3124,6 +3124,8 @@ append_command(char_u *cmd)
+ STRCPY(d, "<a0>");
+ d += 4;
+ }
++ else if (d - IObuff + (*mb_ptr2len)(s) + 1 >= IOSIZE)
++ break;
+ else
+ MB_COPY_CHAR(s, d);
+ }
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 02eeb6b..46f18dc 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -609,4 +609,16 @@ func Test_cmdline_overstrike()
+ let &encoding = encoding_save
+ endfunc
+
++" this was going over the end of IObuff
++func Test_report_error_with_composing()
++ let caught = 'no'
++ try
++ exe repeat('0', 987) . "0\xdd\x80\xdd\x80\xdd\x80\xdd\x80"
++ catch /E492:/
++ let caught = 'yes'
++ endtry
++ call assert_equal('yes', caught)
++endfunc
++
++
+ set cpo&
diff --git a/debian/patches/CVE-2022-1720.patch b/debian/patches/CVE-2022-1720.patch
new file mode 100644
index 0000000..80855fb
--- /dev/null
+++ b/debian/patches/CVE-2022-1720.patch
@@ -0,0 +1,34 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 31 Oct 2022 20:40:05 +0100
+Subject: CVE-2022-1720
+
+Origin: https://github.com/vim/vim/commit/395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab93c
+---
+ src/normal.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index 2c36c15..ebda136 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5777,9 +5777,17 @@ get_visual_text(
+ *pp = ml_get_pos(&VIsual);
+ *lenp = curwin->w_cursor.col - VIsual.col + 1;
+ }
+- if (has_mbyte)
+- /* Correct the length to include the whole last character. */
+- *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
++ if (*lenp > 0)
++ {
++ if (has_mbyte)
++ // Correct the length to include all bytes of the last
++ // character.
++ *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
++ else if ((*pp)[*lenp - 1] == NUL)
++ // Do not include a trailing NUL.
++ *lenp -= 1;
++ }
++
+ }
+ reset_VIsual_and_resel();
+ return OK;
diff --git a/debian/patches/CVE-2022-1851.patch b/debian/patches/CVE-2022-1851.patch
new file mode 100644
index 0000000..1b84df9
--- /dev/null
+++ b/debian/patches/CVE-2022-1851.patch
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 2 Nov 2022 15:12:10 +0100
+Subject: CVE-2022-1851
+
+Origin: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad
+---
+ src/ops.c | 3 +++
+ src/testdir/test_textformat.vim | 12 ++++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/src/ops.c b/src/ops.c
+index 4c81922..84b5f90 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -4778,6 +4778,9 @@ op_format(
+ {
+ curwin->w_cursor = saved_cursor;
+ saved_cursor.lnum = 0;
++
++ // formatting may have made the cursor position invalid
++ check_cursor();
+ }
+
+ if (oap->is_VIsual)
+diff --git a/src/testdir/test_textformat.vim b/src/testdir/test_textformat.vim
+index 13fb50b..508e18b 100644
+--- a/src/testdir/test_textformat.vim
++++ b/src/testdir/test_textformat.vim
+@@ -489,3 +489,15 @@ func Test_format_list_auto()
+ bwipe!
+ set fo& ai& bs&
+ endfunc
++
++" This was leaving the cursor after the end of a line. Complicated way to
++" have the problem show up with valgrind.
++func Test_correct_cursor_position()
++ set encoding=iso8859
++ new
++ norm a0000
++ sil! norm gggg0i0gw0gg
++
++ bwipe!
++ set encoding=utf8
++endfunc
diff --git a/debian/patches/CVE-2022-1898.patch b/debian/patches/CVE-2022-1898.patch
new file mode 100644
index 0000000..c5817ba
--- /dev/null
+++ b/debian/patches/CVE-2022-1898.patch
@@ -0,0 +1,65 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 2 Nov 2022 22:07:35 +0100
+Subject: CVE-2022-1898
+
+Origin: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a
+---
+ src/normal.c | 6 ++++++
+ src/testdir/test_tagjump.vim | 6 ++++++
+ src/version.c | 2 ++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/src/normal.c b/src/normal.c
+index ebda136..c3b6897 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -6426,6 +6426,11 @@ nv_brackets(cmdarg_T *cap)
+ clearop(cap->oap);
+ else
+ {
++ // Make a copy, if the line was changed it will be freed.
++ ptr = vim_strnsave(ptr, len);
++ if (ptr == NULL)
++ return;
++
+ find_pattern_in_path(ptr, 0, len, TRUE,
+ cap->count0 == 0 ? !isupper(cap->nchar) : FALSE,
+ ((cap->nchar & 0xf) == ('d' & 0xf)) ? FIND_DEFINE : FIND_ANY,
+@@ -6434,6 +6439,7 @@ nv_brackets(cmdarg_T *cap)
+ islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO,
+ cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1,
+ (linenr_T)MAXLNUM);
++ vim_free(ptr);
+ curwin->w_set_curswant = TRUE;
+ }
+ }
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index ae47a69..da4af2f 100644
+--- a/src/testdir/test_tagjump.vim
++++ b/src/testdir/test_tagjump.vim
+@@ -255,6 +255,12 @@ func Test_tagjump_etags()
+ call delete('Xtags')
+ call delete('Xmain.c')
+ bwipe!
++
++ new somefile
++ call setline(1, ['first line', '', '#define something 0'])
++ sil norm 0o0
++ sil! norm ]d
++ bwipe!
+ endfunc
+
+ " Test for getting and modifying the tag stack
+diff --git a/src/version.c b/src/version.c
+index 586e9ca..cd174b0 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 5024,
+ /**/
+ 4214,
+ /**/
diff --git a/debian/patches/CVE-2022-2285.patch b/debian/patches/CVE-2022-2285.patch
new file mode 100644
index 0000000..5105f02
--- /dev/null
+++ b/debian/patches/CVE-2022-2285.patch
@@ -0,0 +1,40 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 2 Nov 2022 22:34:23 +0100
+Subject: CVE-2022-2285
+
+Origin: https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036fe
+---
+ src/term.c | 1 +
+ src/testdir/test_mapping.vim | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/term.c b/src/term.c
+index 47d2bda..bc46ed9 100644
+--- a/src/term.c
++++ b/src/term.c
+@@ -4440,6 +4440,7 @@ check_termcode(
+ if (*tp == ESC && !p_ek && (State & INSERT))
+ continue;
+
++ tp[len] = NUL;
+ key_name[0] = NUL; /* no key name found yet */
+ key_name[1] = NUL; /* no key name found yet */
+ modifiers = 0; /* no modifiers yet */
+diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
+index c454fc0..3c81bb5 100644
+--- a/src/testdir/test_mapping.vim
++++ b/src/testdir/test_mapping.vim
+@@ -318,3 +318,13 @@ func Test_motionforce_omap()
+ delfunc Select
+ delfunc GetCommand
+ endfunc
++
++func Test_using_past_typeahead()
++ nnoremap :00 0
++ exe "norm :set \x80\xfb0=0\<CR>"
++ exe "sil norm :0\x0f\<C-U>\<CR>"
++
++ exe "norm :set \x80\xfb0=\<CR>"
++ nunmap :00
++endfunc
++
diff --git a/debian/patches/CVE-2022-2304.patch b/debian/patches/CVE-2022-2304.patch
new file mode 100644
index 0000000..a76927d
--- /dev/null
+++ b/debian/patches/CVE-2022-2304.patch
@@ -0,0 +1,56 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 2 Nov 2022 23:13:09 +0100
+Subject: CVE-2022-2304
+
+Origin: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939
+---
+ src/spell.c | 5 +++--
+ src/testdir/test_spell.vim | 14 ++++++++++++++
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/spell.c b/src/spell.c
+index 2d36953..3d9e7c8 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -8505,9 +8505,10 @@ spell_dump_compl(
+ n = arridx[depth] + curi[depth];
+ ++curi[depth];
+ c = byts[n];
+- if (c == 0)
++ if (c == 0 || depth >= MAXWLEN - 1)
+ {
+- /* End of word, deal with the word.
++ /* End of word or reached maximum length, deal with the
++ * word.
+ * Don't use keep-case words in the fold-case tree,
+ * they will appear in the keep-case tree.
+ * Only use the word when the region matches. */
+diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
+index 50e2d54..afbb6d8 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -260,6 +260,19 @@ func Test_zz_compound()
+
+ endfunc
+
++func Test_spell_dump_word_length()
++ " this was running over MAXWLEN
++ new
++ noremap 0 0a0zW0000000
++ sil! norm 0z=0
++ sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
++ sil! norm 0z=0
++
++ bwipe!
++ nunmap 0
++endfunc
++
++
+ "Test affix flags with two characters
+ func Test_zz_affix()
+ call LoadAffAndDic(g:test_data_aff5, g:test_data_dic5)
+@@ -922,3 +935,4 @@ let g:test_data_aff_sal = [
+ \"SAL ZZ- _",
+ \"SAL Z S",
+ \ ]
++
diff --git a/debian/patches/CVE-2022-2598.patch b/debian/patches/CVE-2022-2598.patch
new file mode 100644
index 0000000..d7732d4
--- /dev/null
+++ b/debian/patches/CVE-2022-2598.patch
@@ -0,0 +1,60 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 6 Nov 2022 23:00:10 +0100
+Subject: CVE-2022-2598
+
+Origin: https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf05541d
+---
+ src/diff.c | 9 ++++++---
+ src/testdir/test_diffmode.vim | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/diff.c b/src/diff.c
+index d368f96..745cb87 100644
+--- a/src/diff.c
++++ b/src/diff.c
+@@ -451,7 +451,10 @@ diff_mark_adjust_tp(
+ for (i = 0; i < DB_COUNT; ++i)
+ if (tp->tp_diffbuf[i] != NULL && i != idx)
+ {
+- dp->df_lnum[i] -= off;
++ if (dp->df_lnum[i] > off)
++ dp->df_lnum[i] -= off;
++ else
++ dp->df_lnum[i] = 1;
+ dp->df_count[i] += n;
+ }
+ }
+@@ -2735,8 +2738,8 @@ ex_diffgetput(exarg_T *eap)
+ {
+ /* remember deleting the last line of the buffer */
+ buf_empty = curbuf->b_ml.ml_line_count == 1;
+- ml_delete(lnum, FALSE);
+- --added;
++ if (ml_delete(lnum, FALSE) == OK)
++ --added;
+ }
+ for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
+ {
+diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
+index 84fb451..3ced8cd 100644
+--- a/src/testdir/test_diffmode.vim
++++ b/src/testdir/test_diffmode.vim
+@@ -913,3 +913,18 @@ func Test_diff_of_diff()
+ call StopVimInTerminal(buf)
+ call delete('Xtest_diff_diff')
+ endfunc
++
++" This was causing the line number in the diff block to go below one.
++" FIXME: somehow this causes a valgrind error when run directly but not when
++" run as a test.
++func Test_diff_put_and_undo()
++ set diff
++ next 0
++ split 00
++ sil! norm o0gguudpo0ggJuudp
++
++ bwipe!
++ bwipe!
++ set nodiff
++endfunc
++
diff --git a/debian/patches/CVE-2022-2946.patch b/debian/patches/CVE-2022-2946.patch
new file mode 100644
index 0000000..b3dadb9
--- /dev/null
+++ b/debian/patches/CVE-2022-2946.patch
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 6 Nov 2022 23:12:54 +0100
+Subject: CVE-2022-2946
+
+Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c
+---
+ src/tag.c | 9 ++++++++-
+ src/testdir/test_tagcase.vim | 12 ++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/tag.c b/src/tag.c
+index b1915e1..4e96da3 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -146,6 +146,7 @@ do_tag(
+ int attr;
+ int use_tagstack;
+ int skip_msg = FALSE;
++ char_u *tofree = NULL;
+ char_u *buf_ffname = curbuf->b_ffname; /* name to use for
+ priority computation */
+
+@@ -486,7 +487,12 @@ do_tag(
+ * When desired match not found yet, try to find it (and others).
+ */
+ if (use_tagstack)
+- name = tagstack[tagstackidx].tagname;
++ {
++ // make a copy, the tagstack may change in 'tagfunc'
++ name = vim_strsave(tagstack[tagstackidx].tagname);
++ vim_free(tofree);
++ tofree = name;
++ }
+ #if defined(FEAT_QUICKFIX)
+ else if (g_do_tagpreview != 0)
+ name = ptag_entry.tagname;
+@@ -1078,6 +1084,7 @@ end_do_tag:
+ g_do_tagpreview = 0; /* don't do tag preview next time */
+ # endif
+
++ vim_free(tofree);
+ #ifdef FEAT_CSCOPE
+ return jumped_to_tag;
+ #else
diff --git a/debian/patches/CVE-2022-3099.patch b/debian/patches/CVE-2022-3099.patch
new file mode 100644
index 0000000..1dd5203
--- /dev/null
+++ b/debian/patches/CVE-2022-3099.patch
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 00:03:56 +0100
+Subject: CVE-2022-3099
+
+Origin: https://github.com/vim/vim/commit/35d21c6830fc2d68aca838424a0e786821c5891c
+---
+ src/ex_docmd.c | 2 +-
+ src/testdir/test_eval_stuff.vim | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index bb8d719..5321962 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -1109,7 +1109,7 @@ do_cmdline(
+
+ /* Check for the next breakpoint at or after the ":while"
+ * or ":for". */
+- if (breakpoint != NULL)
++ if (breakpoint != NULL && lines_ga.ga_len > current_line)
+ {
+ *breakpoint = dbg_find_breakpoint(
+ getline_equal(fgetline, cookie, getsourceline),
diff --git a/debian/patches/CVE-2022-3134.patch b/debian/patches/CVE-2022-3134.patch
new file mode 100644
index 0000000..16f8949
--- /dev/null
+++ b/debian/patches/CVE-2022-3134.patch
@@ -0,0 +1,29 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 00:33:16 +0100
+Subject: CVE-2022-3134
+
+Origin: https://github.com/vim/vim/commit/ccfde4d028e891a41e3548323c3d47b06fb0b83e
+---
+ src/tag.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/tag.c b/src/tag.c
+index 4e96da3..6fcd6ee 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -539,6 +539,15 @@ do_tag(
+ max_num_matches = MAXCOL; /* If less than max_num_matches
+ found: all matches found. */
+
++ // A tag function may do anything, which may cause various
++ // information to become invalid. At least check for the tagstack
++ // to still be the same.
++ if (tagstack != curwin->w_tagstack)
++ {
++ FreeWild(new_num_matches, new_matches);
++ break;
++ }
++
+ /* If there already were some matches for the same name, move them
+ * to the start. Avoids that the order changes when using
+ * ":tnext" and jumping to another file. */
diff --git a/debian/patches/CVE-2022-3234.patch b/debian/patches/CVE-2022-3234.patch
new file mode 100644
index 0000000..16207d5
--- /dev/null
+++ b/debian/patches/CVE-2022-3234.patch
@@ -0,0 +1,71 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 00:35:02 +0100
+Subject: CVE-2022-3234
+
+Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e0d
+---
+ src/ops.c | 12 ++++++++++--
+ src/testdir/test_virtualedit.vim | 14 ++++++++++++++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/ops.c b/src/ops.c
+index 84b5f90..c2319b1 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c)
+
+ while (LTOREQ_POS(curwin->w_cursor, oap->end))
+ {
++ int done = FALSE;
++
+ n = gchar_cursor();
+ if (n != NUL)
+ {
+@@ -2305,6 +2307,7 @@ op_replace(oparg_T *oap, int c)
+ if (curwin->w_cursor.lnum == oap->end.lnum)
+ oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
+ replace_character(c);
++ done = TRUE;
+ }
+ else
+ {
+@@ -2323,10 +2326,15 @@ op_replace(oparg_T *oap, int c)
+ if (curwin->w_cursor.lnum == oap->end.lnum)
+ getvpos(&oap->end, end_vcol);
+ }
+- PBYTE(curwin->w_cursor, c);
++ // with "coladd" set may move to just after a TAB
++ if (gchar_cursor() != NUL)
++ {
++ PBYTE(curwin->w_cursor, c);
++ done = TRUE;
++ }
+ }
+ }
+- else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
++ if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+ {
+ int virtcols = oap->end.coladd;
+
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 67adede..6b8fdfd 100644
+--- a/src/testdir/test_virtualedit.vim
++++ b/src/testdir/test_virtualedit.vim
+@@ -73,3 +73,17 @@ func Test_edit_CTRL_G()
+ bwipe!
+ set virtualedit=
+ endfunc
++
++" this was replacing the NUL at the end of the line
++func Test_virtualedit_replace_after_tab()
++ new
++ s/\v/ 0
++ set ve=all
++ let @" = ''
++ sil! norm vPvr0
++
++ call assert_equal("\t0", getline(1))
++ set ve&
++ bwipe!
++endfunc
++
diff --git a/debian/patches/CVE-2022-3324.patch b/debian/patches/CVE-2022-3324.patch
new file mode 100644
index 0000000..59b60e6
--- /dev/null
+++ b/debian/patches/CVE-2022-3324.patch
@@ -0,0 +1,65 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 00:48:30 +0100
+Subject: CVE-2022-3324
+
+Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bfeb
+---
+ src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
+ src/window.c | 5 ++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 3878637..4a35201 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -620,5 +620,27 @@ func Test_report_error_with_composing()
+ call assert_equal('yes', caught)
+ endfunc
+
++" This was resulting in a window with negative width.
++" The test doesn't reproduce the illegal memory access though...
++func Test_cmdwin_split_often()
++ let lines = &lines
++ let columns = &columns
++ set t_WS=
++
++ try
++ set encoding=iso8859
++ set ruler
++ winsize 0 0
++ noremap 0 H
++ sil norm 0000000q:
++ catch /E36:/
++ endtry
++
++ bwipe!
++ set encoding=utf8
++ let &lines = lines
++ let &columns = columns
++endfunc
++
+
+ set cpo&
+diff --git a/src/window.c b/src/window.c
+index 7c7f580..c4d97d6 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -1945,6 +1945,8 @@ win_equal_rec(
+ if (hnc) /* add next_curwin size */
+ {
+ next_curwin_size -= p_wiw - (m - n);
++ if (next_curwin_size < 0)
++ next_curwin_size = 0;
+ new_size += next_curwin_size;
+ room -= new_size - next_curwin_size;
+ }
+@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
+ void
+ win_new_width(win_T *wp, int width)
+ {
+- wp->w_width = width;
++ // Should we give an error if width < 0?
++ wp->w_width = width < 0 ? 0 : width;
+ wp->w_lines_valid = 0;
+ changed_line_abv_curs_win(wp);
+ invalidate_botline_win(wp);
diff --git a/debian/patches/CVE-2022-3705.patch b/debian/patches/CVE-2022-3705.patch
new file mode 100644
index 0000000..febdb59
--- /dev/null
+++ b/debian/patches/CVE-2022-3705.patch
@@ -0,0 +1,71 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 7 Nov 2022 01:01:37 +0100
+Subject: CVE-2022-3705
+
+Origin: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731
+---
+ src/quickfix.c | 6 ++++++
+ src/testdir/test_quickfix.vim | 15 +++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 23 insertions(+)
+
+diff --git a/src/quickfix.c b/src/quickfix.c
+index 3bfa027..d6f773b 100644
+--- a/src/quickfix.c
++++ b/src/quickfix.c
+@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last)
+ // when the added lines are not visible.
+ if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline)
+ redraw_buf_later(buf, NOT_VALID);
++
++ // always called after incr_quickfix_busy()
++ decr_quickfix_busy();
+ }
+ }
+
+@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf, qfline_T *old_last)
+ break;
+ }
+
++ // autocommands may cause trouble
++ incr_quickfix_busy();
++
+ if (old_last == NULL)
+ // Delete the empty line which is now at the end
+ (void)ml_delete(lnum + 1, FALSE);
+diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
+index 2e5fffa..860e417 100644
+--- a/src/testdir/test_quickfix.vim
++++ b/src/testdir/test_quickfix.vim
+@@ -3931,3 +3931,18 @@ func Test_lopen_bwipe()
+ delfunc R
+ endfunc
+
++func Test_filetype_autocmd()
++ " this changes the location list while it is in use to fill a buffer
++ lexpr ''
++ lopen
++ augroup FT_loclist
++ au FileType * call setloclist(0, [], 'f')
++ augroup END
++ silent! lolder
++ lexpr ''
++
++ augroup FT_loclist
++ au! FileType
++ augroup END
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index cd174b0..28f8753 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 805,
+ /**/
+ 5024,
+ /**/
diff --git a/debian/patches/CVE_2022-1968.patch b/debian/patches/CVE_2022-1968.patch
new file mode 100644
index 0000000..eab9980
--- /dev/null
+++ b/debian/patches/CVE_2022-1968.patch
@@ -0,0 +1,84 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 2 Nov 2022 22:11:50 +0100
+Subject: CVE_2022-1968
+
+Origin: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895
+---
+ src/search.c | 21 ++++++++++++++++++---
+ src/testdir/test_tagjump.vim | 12 ++++++++++++
+ 2 files changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/search.c b/src/search.c
+index 4b3f853..9a17918 100644
+--- a/src/search.c
++++ b/src/search.c
+@@ -4852,6 +4852,21 @@ linewhite(linenr_T lnum)
+ #endif
+
+ #if defined(FEAT_FIND_ID) || defined(PROTO)
++
++/*
++ * Get line "lnum" and copy it into "buf[LSIZE]".
++ * The copy is made because the regexp may make the line invalid when using a
++ * mark.
++ */
++ static char_u *
++get_line_and_copy(linenr_T lnum, char_u *buf)
++{
++ char_u *line = ml_get(lnum);
++
++ vim_strncpy(buf, line, LSIZE - 1);
++ return buf;
++}
++
+ /*
+ * Find identifiers or defines in included files.
+ * If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase.
+@@ -4958,7 +4973,7 @@ find_pattern_in_path(
+ end_lnum = curbuf->b_ml.ml_line_count;
+ if (lnum > end_lnum) /* do at least one line */
+ lnum = end_lnum;
+- line = ml_get(lnum);
++ line = get_line_and_copy(lnum, file_line);
+
+ for (;;)
+ {
+@@ -5296,7 +5311,7 @@ search_line:
+ {
+ if (lnum >= end_lnum)
+ goto exit_matched;
+- line = ml_get(++lnum);
++ line = get_line_and_copy(++lnum, file_line);
+ }
+ else if (vim_fgets(line = file_line,
+ LSIZE, files[depth].fp))
+@@ -5511,7 +5526,7 @@ exit_matched:
+ {
+ if (++lnum > end_lnum)
+ break;
+- line = ml_get(lnum);
++ line = get_line_and_copy(lnum, file_line);
+ }
+ already = NULL;
+ }
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index da4af2f..7605730 100644
+--- a/src/testdir/test_tagjump.vim
++++ b/src/testdir/test_tagjump.vim
+@@ -372,4 +372,16 @@ func Test_getsettagstack()
+ set tags&
+ endfunc
+
++" this was using a line from ml_get() freed by the regexp
++func Test_isearch_copy_line()
++ new
++ norm o
++ norm 0
++ 0norm o
++ sil! norm bc0
++ sil! isearch \%')
++ bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff --git a/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
index 9cb8486..598d83d 100644
--- a/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
+++ b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
@@ -12,8 +12,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
runtime/autoload/dist/ft.vim | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/runtime/autoload/dist/ft.vim b/runtime/autoload/dist/ft.vim
-index de45faa..6a4294c 100644
--- a/runtime/autoload/dist/ft.vim
+++ b/runtime/autoload/dist/ft.vim
@@ -665,7 +665,7 @@ func dist#ft#FTtex()
diff --git a/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
index 8c23cad..09d6f33 100644
--- a/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
+++ b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
@@ -7,8 +7,6 @@ Closes: #382541
runtime/scripts.vim | 8 ++++++++
1 file changed, 8 insertions(+)
-diff --git a/runtime/scripts.vim b/runtime/scripts.vim
-index ab66c0c..a755bc7 100644
--- a/runtime/scripts.vim
+++ b/runtime/scripts.vim
@@ -356,6 +356,14 @@ else
diff --git a/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
index 7c23fbb..15e0075 100644
--- a/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
+++ b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
@@ -14,11 +14,9 @@ Signed-off-by: James McCoy <jamessan@debian.org>
runtime/doc/options.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
-index c9e2b0b..c269fea 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
-@@ -5392,7 +5392,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5392,7 +5392,7 @@ A jump table for the options with a shor
*'modeline'* *'ml'* *'nomodeline'* *'noml'*
'modeline' 'ml' boolean (Vim default: on (off for root),
diff --git a/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
index 4822934..2589083 100644
--- a/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
+++ b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
@@ -16,8 +16,6 @@ Signed-off-by: James Vega <jamessan@debian.org>
src/structs.h | 3 +++
3 files changed, 19 insertions(+), 1 deletion(-)
-diff --git a/src/main.c b/src/main.c
-index df204bc..cb31bf1 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1786,6 +1786,10 @@ parse_command_name(mparm_T *parmp)
@@ -45,18 +43,16 @@ index df204bc..cb31bf1 100644
#endif
#ifdef MACOS_X
(void)do_source((char_u *)"$VIMRUNTIME/macmap.vim", FALSE, DOSO_NONE);
-@@ -3067,6 +3076,9 @@ source_startup_scripts(mparm_T *parmp)
- && do_source((char_u *)USR_EXRC_FILE, FALSE, DOSO_NONE) == FAIL
+@@ -3068,6 +3077,9 @@ source_startup_scripts(mparm_T *parmp)
#ifdef USR_EXRC_FILE2
&& do_source((char_u *)USR_EXRC_FILE2, FALSE, DOSO_NONE) == FAIL
-+#endif
+ #endif
+#if defined(SYS_TINYRC_FILE) && defined(TINY_VIMRC)
+ && !parmp->vi_mode
- #endif
++#endif
&& !has_dash_c_arg)
{
-diff --git a/src/os_unix.h b/src/os_unix.h
-index 8919ff0..fcc82eb 100644
+ /* When no .vimrc file was found: source defaults.vim. */
--- a/src/os_unix.h
+++ b/src/os_unix.h
@@ -213,6 +213,9 @@ typedef struct dsc$descriptor DESC;
@@ -69,8 +65,6 @@ index 8919ff0..fcc82eb 100644
#ifndef SYS_VIMRC_FILE
# define SYS_VIMRC_FILE "$VIM/vimrc"
#endif
-diff --git a/src/structs.h b/src/structs.h
-index 5d0541b..d2ca1fc 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -3472,6 +3472,9 @@ typedef struct
diff --git a/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch b/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
index 9ffbc87..983d263 100644
--- a/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
+++ b/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
@@ -9,8 +9,6 @@ Solution: Adjust the uname match. (James McCoy, closes #3909)
src/version.c | 2 ++
2 files changed, 4 insertions(+)
-diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim
-index b08d9aa..e75a896 100644
--- a/src/testdir/test_functions.vim
+++ b/src/testdir/test_functions.vim
@@ -1238,6 +1238,8 @@ func Test_platform_name()
@@ -22,16 +20,14 @@ index b08d9aa..e75a896 100644
call assert_equal(uname =~? 'HP-UX', has('hpux'))
call assert_equal(uname =~? 'Linux', has('linux'))
call assert_equal(uname =~? 'Darwin', has('mac'))
-diff --git a/src/version.c b/src/version.c
-index 0b86826..f5f9439 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 878,
/**/
++ 878,
++/**/
875,
/**/
+ 874,
diff --git a/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch b/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch
index 6888aed..cde362d 100644
--- a/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch
+++ b/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch
@@ -9,8 +9,6 @@ Solution: Delete the old line.
src/version.c | 2 ++
2 files changed, 2 insertions(+), 1 deletion(-)
-diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim
-index e75a896..69e6ce0 100644
--- a/src/testdir/test_functions.vim
+++ b/src/testdir/test_functions.vim
@@ -1237,7 +1237,6 @@ func Test_platform_name()
@@ -21,16 +19,14 @@ index e75a896..69e6ce0 100644
" GNU userland on BSD kernels (e.g., GNU/kFreeBSD) don't have BSD defined
call assert_equal(uname =~? '\%(GNU/k\w\+\)\@<!BSD\|DragonFly', has('bsd'))
call assert_equal(uname =~? 'HP-UX', has('hpux'))
-diff --git a/src/version.c b/src/version.c
-index f5f9439..46f63e7 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 884,
/**/
++ 884,
++/**/
878,
/**/
+ 875,
diff --git a/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch b/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
index 8544ba9..56e6a4f 100644
--- a/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
+++ b/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
@@ -11,8 +11,6 @@ Solution: Do not enable filetype detection.
src/version.c | 2 ++
2 files changed, 30 insertions(+), 23 deletions(-)
-diff --git a/runtime/defaults.vim b/runtime/defaults.vim
-index b848217..e8a0ff4 100644
--- a/runtime/defaults.vim
+++ b/runtime/defaults.vim
@@ -1,7 +1,7 @@
@@ -48,11 +46,10 @@ index b848217..e8a0ff4 100644
- \ if line("'\"") >= 1 && line("'\"") <= line("$") && &ft !~# 'commit'
- \ | exe "normal! g`\""
- \ | endif
--
--augroup END
+" Only do this part when Vim was compiled with the +eval feature.
+if 1
-+
+
+-augroup END
+ " Enable file type detection.
+ " Use the default filetype settings, so that mail gets 'tw' set to 72,
+ " 'cindent' is on in C files, etc.
@@ -80,16 +77,14 @@ index b848217..e8a0ff4 100644
" Convenient command to see the difference between the current buffer and the
" file it was loaded from, thus the changes you made.
-diff --git a/src/version.c b/src/version.c
-index 46f63e7..b59878e 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 948,
/**/
++ 948,
++/**/
884,
/**/
+ 878,
diff --git a/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch b/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
index bc56542..ec39eac 100644
--- a/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
+++ b/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
@@ -14,8 +14,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
3 files changed, 7 insertions(+), 6 deletions(-)
-diff --git a/src/buffer.c b/src/buffer.c
-index 98d505f..2c5c282 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5510,7 +5510,7 @@ chk_modeline(
@@ -27,8 +25,6 @@ index 98d505f..2c5c282 100644
retval = do_set(s, OPT_MODELINE | OPT_LOCAL | flags);
-diff --git a/src/option.c b/src/option.c
-index 77d1024..4b6157d 100644
--- a/src/option.c
+++ b/src/option.c
@@ -5161,13 +5161,12 @@ do_set(
@@ -49,16 +45,14 @@ index 77d1024..4b6157d 100644
// Handle side effects, and set the global value
// for ":set" on local options. Note: when setting
-diff --git a/src/version.c b/src/version.c
-index b59878e..1a7ffa4 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1046,
/**/
++ 1046,
++/**/
948,
/**/
+ 884,
diff --git a/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch b/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
index 0124ad8..64a7ae5 100644
--- a/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
+++ b/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
@@ -14,8 +14,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
3 files changed, 17 insertions(+)
-diff --git a/src/getchar.c b/src/getchar.c
-index fe74dbf..3e4c964 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -1407,6 +1407,12 @@ openscript(
@@ -31,8 +29,6 @@ index fe74dbf..3e4c964 100644
#ifdef FEAT_EVAL
if (ignore_script)
/* Not reading from script, also don't open one. Warning message? */
-diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim
-index a33d286..5166baf 100644
--- a/src/testdir/test_source.vim
+++ b/src/testdir/test_source.vim
@@ -36,3 +36,12 @@ func Test_source_cmd()
@@ -48,16 +44,14 @@ index a33d286..5166baf 100644
+ call assert_fails('sandbox source! Xsourcehello', 'E48:')
+ bwipe!
+endfunc
-diff --git a/src/version.c b/src/version.c
-index 1a7ffa4..3040409 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1365,
/**/
++ 1365,
++/**/
1046,
/**/
+ 948,
diff --git a/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch b/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
index 6918fc7..eb32b06 100644
--- a/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
+++ b/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
@@ -18,8 +18,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 +
6 files changed, 169 insertions(+), 33 deletions(-)
-diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
-index c269fea..7b25f20 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
@@ -1,4 +1,4 @@
@@ -28,7 +26,7 @@ index c269fea..7b25f20 100644
VIM REFERENCE MANUAL by Bram Moolenaar
-@@ -588,14 +588,17 @@ backslash in front of the ':' will be removed. Example:
+@@ -588,14 +588,17 @@ backslash in front of the ':' will be re
/* vi:set dir=c\:\tmp: */ ~
This sets the 'dir' option to "c:\tmp". Only a single backslash before the
':' is removed. Thus to include "\:" you have to specify "\\:".
@@ -52,7 +50,7 @@ index c269fea..7b25f20 100644
Hint: If you would like to do something else than setting an option, you could
define an autocommand that checks the file for a specific string. For
-@@ -1189,6 +1192,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -1189,6 +1192,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| when set from a
modeline, see |sandbox-option|.
@@ -60,7 +58,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'balloonexpr' |textlock|.
-@@ -3354,7 +3358,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -3354,7 +3358,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| if set from a
modeline, see |sandbox-option|.
This option can't be set from a |modeline| when the 'diff' option is
@@ -69,7 +67,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'foldexpr' |textlock|.
-@@ -3496,6 +3500,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -3496,6 +3500,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| if set from a
modeline, see |sandbox-option|.
@@ -77,7 +75,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'foldtext' |textlock|.
-@@ -3534,6 +3539,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -3534,6 +3539,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| when set from a
modeline, see |sandbox-option|. That stops the option from working,
since changing the buffer text is not allowed.
@@ -85,7 +83,7 @@ index c269fea..7b25f20 100644
NOTE: This option is set to "" when 'compatible' is set.
*'formatoptions'* *'fo'*
-@@ -3594,6 +3600,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -3594,6 +3600,8 @@ A jump table for the options with a shor
Also see 'swapsync' for controlling fsync() on swap files.
'fsync' also applies to |writefile()|, unless a flag is used to
overrule it.
@@ -94,7 +92,7 @@ index c269fea..7b25f20 100644
*'gdefault'* *'gd'* *'nogdefault'* *'nogd'*
'gdefault' 'gd' boolean (default off)
-@@ -3888,7 +3896,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -3888,7 +3896,7 @@ A jump table for the options with a shor
*'guiheadroom'* *'ghr'*
'guiheadroom' 'ghr' number (default 50)
global
@@ -103,7 +101,7 @@ index c269fea..7b25f20 100644
The number of pixels subtracted from the screen height when fitting
the GUI window on the screen. Set this before the GUI is started,
e.g., in your |gvimrc| file. When zero, the whole screen height will
-@@ -4049,6 +4057,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4049,6 +4057,7 @@ A jump table for the options with a shor
'guitabtooltip' is used for the tooltip, see below.
The expression will be evaluated in the |sandbox| when set from a
modeline, see |sandbox-option|.
@@ -111,7 +109,7 @@ index c269fea..7b25f20 100644
Only used when the GUI tab pages line is displayed. 'e' must be
present in 'guioptions'. For the non-GUI tab pages line 'tabline' is
-@@ -4311,6 +4320,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4311,6 +4320,7 @@ A jump table for the options with a shor
When this option contains printf-style '%' items, they will be
expanded according to the rules used for 'statusline'. See
'titlestring' for example settings.
@@ -119,7 +117,7 @@ index c269fea..7b25f20 100644
{not available when compiled without the |+statusline| feature}
*'ignorecase'* *'ic'* *'noignorecase'* *'noic'*
-@@ -4331,6 +4341,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4331,6 +4341,8 @@ A jump table for the options with a shor
This option specifies a function that will be called to
activate or deactivate the Input Method.
It is not used in the GUI.
@@ -128,7 +126,7 @@ index c269fea..7b25f20 100644
Example: >
function ImActivateFunc(active)
-@@ -4459,6 +4471,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4459,6 +4471,8 @@ A jump table for the options with a shor
set imstatusfunc=ImStatusFunc
<
NOTE: This function is invoked very often. Keep it fast.
@@ -137,7 +135,7 @@ index c269fea..7b25f20 100644
*'imstyle'* *'imst'*
'imstyle' 'imst' number (default 1)
-@@ -4476,6 +4490,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4476,6 +4490,8 @@ A jump table for the options with a shor
|single-repeat|, etc. Therefore over-the-spot style becomes the
default now. This should work fine for most people, however if you
have any problem with it, try using on-the-spot style.
@@ -146,7 +144,7 @@ index c269fea..7b25f20 100644
*'include'* *'inc'*
'include' 'inc' string (default "^\s*#\s*include")
-@@ -4512,6 +4528,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4512,6 +4528,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| when set from a
modeline, see |sandbox-option|.
@@ -154,7 +152,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'includeexpr' |textlock|.
-@@ -4601,6 +4618,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -4601,6 +4618,7 @@ A jump table for the options with a shor
The expression will be evaluated in the |sandbox| when set from a
modeline, see |sandbox-option|.
@@ -162,7 +160,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'indentexpr' |textlock|.
-@@ -5227,6 +5245,12 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5227,6 +5245,12 @@ A jump table for the options with a shor
< This option cannot be set from a |modeline| or in the |sandbox|, for
security reasons.
@@ -175,7 +173,7 @@ index c269fea..7b25f20 100644
*'matchpairs'* *'mps'*
'matchpairs' 'mps' string (default "(:),{:},[:]")
local to buffer
-@@ -5250,7 +5274,6 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5250,7 +5274,6 @@ A jump table for the options with a shor
*'matchtime'* *'mat'*
'matchtime' 'mat' number (default 5)
global
@@ -183,7 +181,7 @@ index c269fea..7b25f20 100644
Tenths of a second to show the matching paren, when 'showmatch' is
set. Note that this is not in milliseconds, like other options that
set a time. This is to be compatible with Nvi.
-@@ -5394,6 +5417,17 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5394,6 +5417,17 @@ A jump table for the options with a shor
'modeline' 'ml' boolean (Vim default: on (off for root),
Debian: off, Vi default: off)
local to buffer
@@ -201,7 +199,7 @@ index c269fea..7b25f20 100644
*'modelines'* *'mls'*
'modelines' 'mls' number (default 5)
global
-@@ -5405,9 +5439,9 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5405,9 +5439,9 @@ A jump table for the options with a shor
set and to the Vim default value when 'compatible' is reset.
*'modifiable'* *'ma'* *'nomodifiable'* *'noma'*
@@ -212,7 +210,7 @@ index c269fea..7b25f20 100644
When off the buffer contents cannot be changed. The 'fileformat' and
'fileencoding' options also can't be changed.
Can be reset on startup with the |-M| command line argument.
-@@ -6456,6 +6490,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -6456,6 +6490,8 @@ A jump table for the options with a shor
When this option is not empty, it determines the content of the ruler
string, as displayed for the 'ruler' option.
The format of this option is like that of 'statusline'.
@@ -221,7 +219,7 @@ index c269fea..7b25f20 100644
The default ruler width is 17 characters. To make the ruler 15
characters wide, put "%15(" at the start and "%)" at the end.
Example: >
-@@ -7016,6 +7052,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -7016,6 +7052,8 @@ A jump table for the options with a shor
q use "recording" instead of "recording @a"
F don't give the file info when editing a file, like `:silent`
was used for the command
@@ -230,7 +228,7 @@ index c269fea..7b25f20 100644
This gives you the opportunity to avoid that a change between buffers
requires you to hit <Enter>, but still gives as useful a message as
-@@ -7600,6 +7638,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -7600,6 +7638,7 @@ A jump table for the options with a shor
The 'statusline' option will be evaluated in the |sandbox| if set from
a modeline, see |sandbox-option|.
@@ -238,7 +236,7 @@ index c269fea..7b25f20 100644
It is not allowed to change text or jump to another window while
evaluating 'statusline' |textlock|.
-@@ -7786,6 +7825,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -7786,6 +7825,7 @@ A jump table for the options with a shor
When changing something that is used in 'tabline' that does not
trigger it to be updated, use |:redrawtabline|.
@@ -246,7 +244,7 @@ index c269fea..7b25f20 100644
Keep in mind that only one of the tab pages is the current one, others
are invisible and you can't jump to their windows.
-@@ -8329,8 +8369,11 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -8329,8 +8369,11 @@ A jump table for the options with a shor
non-empty 't_ts' option).
When Vim was compiled with HAVE_X11 defined, the original title will
be restored if possible, see |X11|.
@@ -258,7 +256,7 @@ index c269fea..7b25f20 100644
Example: >
:auto BufEnter * let &titlestring = hostname() . "/" . expand("%:p")
:set title titlestring=%<%F%=%l/%L-%P titlelen=70
-@@ -8520,6 +8563,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -8520,6 +8563,8 @@ A jump table for the options with a shor
undo file that exists is used. When it cannot be read an error is
given, no further entry is used.
See |undo-persistence|.
@@ -267,7 +265,7 @@ index c269fea..7b25f20 100644
*'undofile'* *'noundofile'* *'udf'* *'noudf'*
'undofile' 'udf' boolean (default off)
-@@ -8843,6 +8888,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -8843,6 +8888,8 @@ A jump table for the options with a shor
When equal to "NONE" no viminfo file will be read or written.
This option can be set with the |-i| command line flag. The |--clean|
command line flag sets it to "NONE".
@@ -276,8 +274,6 @@ index c269fea..7b25f20 100644
*'virtualedit'* *'ve'*
'virtualedit' 've' string (default "")
-diff --git a/src/option.c b/src/option.c
-index 4b6157d..e1e89d5 100644
--- a/src/option.c
+++ b/src/option.c
@@ -462,6 +462,7 @@ struct vimoption
@@ -427,8 +423,6 @@ index 4b6157d..e1e89d5 100644
#ifdef FEAT_DIFF
/* In diff mode some options are overruled. This avoids that
* 'foldmethod' becomes "marker" instead of "diff" and that
-diff --git a/src/option.h b/src/option.h
-index 2985781..1cef928 100644
--- a/src/option.h
+++ b/src/option.h
@@ -640,6 +640,7 @@ EXTERN long p_mis; /* 'menuitems' */
@@ -439,11 +433,9 @@ index 2985781..1cef928 100644
EXTERN long p_mls; /* 'modelines' */
EXTERN char_u *p_mouse; /* 'mouse' */
#ifdef FEAT_GUI
-diff --git a/src/testdir/test49.in b/src/testdir/test49.in
-index 79f13f6..a0c9e0d 100644
--- a/src/testdir/test49.in
+++ b/src/testdir/test49.in
-@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G"s at the line ending in "test.out"
+@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G
STARTTEST
:so small.vim
@@ -452,8 +444,6 @@ index 79f13f6..a0c9e0d 100644
:lang mess C
:so test49.vim
:" Go back to this file and append the results from register r.
-diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
-index e0f97c4..101116c 100644
--- a/src/testdir/test_modeline.vim
+++ b/src/testdir/test_modeline.vim
@@ -60,14 +60,17 @@ func Test_modeline_keymap()
@@ -573,16 +563,14 @@ index e0f97c4..101116c 100644
+ call s:modeline_fails('tabline', 'tabline=Something()', 'E992:')
+ call s:modeline_fails('titlestring', 'titlestring=Something()', 'E992:')
endfunc
-diff --git a/src/version.c b/src/version.c
-index 3040409..2cbc426 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1366,
/**/
++ 1366,
++/**/
1365,
/**/
+ 1046,
diff --git a/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch b/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
index fd94f36..715b301 100644
--- a/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
+++ b/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
@@ -14,8 +14,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)
-diff --git a/src/option.c b/src/option.c
-index e1e89d5..e3f5f5d 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1892,7 +1892,7 @@ static struct vimoption options[] =
@@ -27,8 +25,6 @@ index e1e89d5..e3f5f5d 100644
(char_u *)&p_mle, PV_NONE,
{(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
{"modelines", "mls", P_NUM|P_VI_DEF,
-diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
-index 101116c..89c06ba 100644
--- a/src/testdir/test_modeline.vim
+++ b/src/testdir/test_modeline.vim
@@ -119,6 +119,7 @@ func Test_modeline_fails_always()
@@ -39,16 +35,14 @@ index 101116c..89c06ba 100644
call s:modeline_fails('omnifunc', 'omnifunc=Something()', 'E520:')
call s:modeline_fails('operatorfunc', 'operatorfunc=Something()', 'E520:')
call s:modeline_fails('perldll', 'perldll=Something()', 'E520:')
-diff --git a/src/version.c b/src/version.c
-index 2cbc426..0ce8831 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1367,
/**/
++ 1367,
++/**/
1366,
/**/
+ 1365,
diff --git a/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch b/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
index 36bbbe9..a46d571 100644
--- a/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
+++ b/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
@@ -14,8 +14,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
-diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
-index 89c06ba..7251036 100644
--- a/src/testdir/test_modeline.vim
+++ b/src/testdir/test_modeline.vim
@@ -127,7 +127,7 @@ func Test_modeline_fails_always()
@@ -27,16 +25,14 @@ index 89c06ba..7251036 100644
call s:modeline_fails('pythonthreedll', 'pythonthreedll=Something()', 'E520:')
call s:modeline_fails('pythonthreehome', 'pythonthreehome=Something()', 'E520:')
call s:modeline_fails('pyxversion', 'pyxversion=Something()', 'E520:')
-diff --git a/src/version.c b/src/version.c
-index 0ce8831..90acd77 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1368,
/**/
++ 1368,
++/**/
1367,
/**/
+ 1366,
diff --git a/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch b/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch
index 114c2a4..d771c7c 100644
--- a/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch
+++ b/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch
@@ -15,11 +15,9 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
4 files changed, 4 insertions(+), 4 deletions(-)
-diff --git a/src/testdir/test49.in b/src/testdir/test49.in
-index a0c9e0d..79f13f6 100644
--- a/src/testdir/test49.in
+++ b/src/testdir/test49.in
-@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G"s at the line ending in "test.out"
+@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G
STARTTEST
:so small.vim
@@ -28,8 +26,6 @@ index a0c9e0d..79f13f6 100644
:lang mess C
:so test49.vim
:" Go back to this file and append the results from register r.
-diff --git a/src/testdir/test49.vim b/src/testdir/test49.vim
-index 97088f0..7393ec4 100644
--- a/src/testdir/test49.vim
+++ b/src/testdir/test49.vim
@@ -1,6 +1,6 @@
@@ -46,8 +42,6 @@ index 97088f0..7393ec4 100644
" vim: ts=8 sw=4 tw=80 fdm=marker
-" vim: fdt=substitute(substitute(foldtext(),\ '\\%(^+--\\)\\@<=\\(\\s*\\)\\(.\\{-}\\)\:\ \\%(\"\ \\)\\=\\(Test\ \\d*\\)\:\\s*',\ '\\3\ (\\2)\:\ \\1',\ \"\"),\ '\\(Test\\s*\\)\\(\\d\\)\\D\\@=',\ '\\1\ \\2',\ "")
"-------------------------------------------------------------------------------
-diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
-index 9de0a62..24379ed 100644
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -1444,5 +1444,4 @@ endfunc
@@ -56,16 +50,14 @@ index 9de0a62..24379ed 100644
" vim: ts=8 sw=4 tw=80 fdm=marker
-" vim: fdt=substitute(substitute(foldtext(),\ '\\%(^+--\\)\\@<=\\(\\s*\\)\\(.\\{-}\\)\:\ \\%(\"\ \\)\\=\\(Test\ \\d*\\)\:\\s*',\ '\\3\ (\\2)\:\ \\1',\ \"\"),\ '\\(Test\\s*\\)\\(\\d\\)\\D\\@=',\ '\\1\ \\2',\ "")
"-------------------------------------------------------------------------------
-diff --git a/src/version.c b/src/version.c
-index 90acd77..a0ca945 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1382,
/**/
++ 1382,
++/**/
1368,
/**/
+ 1367,
diff --git a/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch b/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
index 5f422ac..e093f24 100644
--- a/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
+++ b/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
@@ -15,11 +15,9 @@ Signed-off-by: James McCoy <jamessan@debian.org>
src/version.c | 2 ++
3 files changed, 5 insertions(+), 7 deletions(-)
-diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
-index 7b25f20..4ab87db 100644
--- a/runtime/doc/options.txt
+++ b/runtime/doc/options.txt
-@@ -5245,12 +5245,6 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5245,12 +5245,6 @@ A jump table for the options with a shor
< This option cannot be set from a |modeline| or in the |sandbox|, for
security reasons.
@@ -32,7 +30,7 @@ index 7b25f20..4ab87db 100644
*'matchpairs'* *'mps'*
'matchpairs' 'mps' string (default "(:),{:},[:]")
local to buffer
-@@ -5413,6 +5407,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+@@ -5413,6 +5407,8 @@ A jump table for the options with a shor
< If you have less than 512 Mbyte |:mkspell| may fail for some
languages, no matter what you set 'mkspellmem' to.
@@ -41,8 +39,6 @@ index 7b25f20..4ab87db 100644
*'modeline'* *'ml'* *'nomodeline'* *'noml'*
'modeline' 'ml' boolean (Vim default: on (off for root),
Debian: off, Vi default: off)
-diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
-index 7251036..b5513d5 100644
--- a/src/testdir/test_modeline.vim
+++ b/src/testdir/test_modeline.vim
@@ -116,7 +116,7 @@ func Test_modeline_fails_always()
@@ -54,16 +50,14 @@ index 7251036..b5513d5 100644
call s:modeline_fails('mzschemedll', 'mzschemedll=Something()', 'E520:')
call s:modeline_fails('mzschemegcdll', 'mzschemegcdll=Something()', 'E520:')
call s:modeline_fails('modelineexpr', 'modelineexpr', 'E520:')
-diff --git a/src/version.c b/src/version.c
-index a0ca945..1b5d863 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 1401,
/**/
++ 1401,
++/**/
1382,
/**/
+ 1368,
diff --git a/debian/patches/series b/debian/patches/series
index 9a8f88a..5cb3483 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,44 @@ upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
+CVE-2021-3872.patch
+CVE-2021-3927.patch
+CVE-2021-3928.patch
+CVE-2021-3974.patch
+CVE-2021-3984.patch
+CVE-2021-4019.patch
+CVE-2021-4069.patch
+CVE-2021-4192.patch
+CVE-2021-4193.patch
+CVE-2022-0213.patch
+CVE-2022-0261.patch
+CVE-2022-0319.patch
+CVE-2022-0351.patch
+CVE-2022-0359.patch
+CVE-2022-0361.patch
+CVE-2022-0368.patch
+CVE-2022-0408.patch
+CVE-2022-0413.patch
+CVE-2022-0417.patch
+CVE-2022-0443.patch
+CVE-2022-0554.patch
+CVE-2022-0572.patch
+CVE-2022-0685.patch
+CVE-2022-0714.patch
+CVE-2022-0729.patch
+CVE-2022-0943.patch
+CVE-2022-1154.patch
+CVE-2022-1616.patch
+CVE-2022-1720.patch
+CVE-2022-1851.patch
+CVE-2022-1898.patch
+CVE_2022-1968.patch
+CVE-2022-2285.patch
+CVE-2022-2304.patch
+CVE-2022-2598.patch
+CVE-2022-2946.patch
+CVE-2022-3099.patch
+CVE-2022-3134.patch
+CVE-2022-3234.patch
+CVE-2022-3324.patch
+CVE-2022-3705.patch
diff --git a/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
index f26c02a..2615e36 100644
--- a/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
+++ b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
@@ -22,8 +22,6 @@ preprocessor's __DATE__/__TIME__ symbols will be used.
src/version.c | 8 ++++++++
3 files changed, 21 insertions(+)
-diff --git a/src/config.h.in b/src/config.h.in
-index d1aaf70..78cf319 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -30,6 +30,9 @@
@@ -36,11 +34,9 @@ index d1aaf70..78cf319 100644
/* Define when __attribute__((unused)) can be used */
#undef HAVE_ATTRIBUTE_UNUSED
-diff --git a/src/configure.ac b/src/configure.ac
-index 2b7725b..21ca7a1 100644
--- a/src/configure.ac
+++ b/src/configure.ac
-@@ -62,6 +62,16 @@ if test x"$ac_cv_prog_cc_c99" != xno; then
+@@ -62,6 +62,16 @@ if test x"$ac_cv_prog_cc_c99" != xno; th
fi
fi
@@ -57,8 +53,6 @@ index 2b7725b..21ca7a1 100644
dnl Check for the flag that fails if stuff are missing.
AC_MSG_CHECKING(--enable-fail-if-missing argument)
-diff --git a/src/version.c b/src/version.c
-index 9b2e7c9..0b86826 100644
--- a/src/version.c
+++ b/src/version.c
@@ -44,9 +44,13 @@ init_longVersion(void)
diff --git a/debian/patches/upstream/deb-release-names.patch b/debian/patches/upstream/deb-release-names.patch
index 42b72dd..22dcad3 100644
--- a/debian/patches/upstream/deb-release-names.patch
+++ b/debian/patches/upstream/deb-release-names.patch
@@ -8,8 +8,6 @@ Signed-off-by: James McCoy <jamessan@debian.org>
runtime/syntax/debsources.vim | 7 ++++---
2 files changed, 6 insertions(+), 5 deletions(-)
-diff --git a/runtime/syntax/debchangelog.vim b/runtime/syntax/debchangelog.vim
-index 4ca4c29..9d6dfe9 100644
--- a/runtime/syntax/debchangelog.vim
+++ b/runtime/syntax/debchangelog.vim
@@ -3,7 +3,7 @@
@@ -30,8 +28,6 @@ index 4ca4c29..9d6dfe9 100644
syn match debchangelogVersion contained "(.\{-})"
syn match debchangelogCloses contained "closes:\_s*\(bug\)\=#\=\_s\=\d\+\(,\_s*\(bug\)\=#\=\_s\=\d\+\)*"
syn match debchangelogLP contained "\clp:\s\+#\d\+\(,\s*#\d\+\)*"
-diff --git a/runtime/syntax/debsources.vim b/runtime/syntax/debsources.vim
-index 4b21941..f90476f 100644
--- a/runtime/syntax/debsources.vim
+++ b/runtime/syntax/debsources.vim
@@ -2,7 +2,7 @@
diff --git a/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch b/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
index 01e9ad7..ce97d77 100644
--- a/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
+++ b/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
@@ -19,11 +19,9 @@ Solution: Disable using interfaces in restricted mode. Allow for writing
8 files changed, 151 insertions(+), 18 deletions(-)
create mode 100644 src/testdir/test_restricted.vim
-diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt
-index 711a487..6289e9c 100644
--- a/runtime/doc/starting.txt
+++ b/runtime/doc/starting.txt
-@@ -248,12 +248,18 @@ a slash. Thus "-R" means recovery and "-/R" readonly.
+@@ -248,12 +248,18 @@ a slash. Thus "-R" means recovery and "
changes and writing.
{not in Vi}
@@ -46,11 +44,9 @@ index 711a487..6289e9c 100644
{not in Vi}
*-g*
-diff --git a/src/evalfunc.c b/src/evalfunc.c
-index fa7ed9b..eb082b7 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
-@@ -6817,7 +6817,7 @@ f_histadd(typval_T *argvars UNUSED, typval_T *rettv)
+@@ -6817,7 +6817,7 @@ f_histadd(typval_T *argvars UNUSED, typv
#endif
rettv->vval.v_number = FALSE;
@@ -59,7 +55,7 @@ index fa7ed9b..eb082b7 100644
return;
#ifdef FEAT_CMDHIST
str = tv_get_string_chk(&argvars[0]); /* NULL on type error */
-@@ -7898,6 +7898,9 @@ f_luaeval(typval_T *argvars, typval_T *rettv)
+@@ -7898,6 +7898,9 @@ f_luaeval(typval_T *argvars, typval_T *r
char_u *str;
char_u buf[NUMBUFLEN];
@@ -69,7 +65,7 @@ index fa7ed9b..eb082b7 100644
str = tv_get_string_buf(&argvars[0], buf);
do_luaeval(str, argvars + 1, rettv);
}
-@@ -8644,6 +8647,8 @@ f_mzeval(typval_T *argvars, typval_T *rettv)
+@@ -8644,6 +8647,8 @@ f_mzeval(typval_T *argvars, typval_T *re
char_u *str;
char_u buf[NUMBUFLEN];
@@ -78,7 +74,7 @@ index fa7ed9b..eb082b7 100644
str = tv_get_string_buf(&argvars[0], buf);
do_mzeval(str, rettv);
}
-@@ -8932,6 +8937,9 @@ f_py3eval(typval_T *argvars, typval_T *rettv)
+@@ -8932,6 +8937,9 @@ f_py3eval(typval_T *argvars, typval_T *r
char_u *str;
char_u buf[NUMBUFLEN];
@@ -88,7 +84,7 @@ index fa7ed9b..eb082b7 100644
if (p_pyx == 0)
p_pyx = 3;
-@@ -8950,6 +8958,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+@@ -8950,6 +8958,9 @@ f_pyeval(typval_T *argvars, typval_T *re
char_u *str;
char_u buf[NUMBUFLEN];
@@ -98,7 +94,7 @@ index fa7ed9b..eb082b7 100644
if (p_pyx == 0)
p_pyx = 2;
-@@ -8965,6 +8976,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+@@ -8965,6 +8976,9 @@ f_pyeval(typval_T *argvars, typval_T *re
static void
f_pyxeval(typval_T *argvars, typval_T *rettv)
{
@@ -108,7 +104,7 @@ index fa7ed9b..eb082b7 100644
# if defined(FEAT_PYTHON) && defined(FEAT_PYTHON3)
init_pyxversion();
if (p_pyx == 2)
-@@ -10819,7 +10833,7 @@ f_setbufvar(typval_T *argvars, typval_T *rettv UNUSED)
+@@ -10819,7 +10833,7 @@ f_setbufvar(typval_T *argvars, typval_T
typval_T *varp;
char_u nbuf[NUMBUFLEN];
@@ -117,7 +113,7 @@ index fa7ed9b..eb082b7 100644
return;
(void)tv_get_number(&argvars[0]); /* issue errmsg if type error */
varname = tv_get_string_chk(&argvars[1]);
-@@ -11341,7 +11355,7 @@ f_settabvar(typval_T *argvars, typval_T *rettv)
+@@ -11341,7 +11355,7 @@ f_settabvar(typval_T *argvars, typval_T
rettv->vval.v_number = 0;
@@ -126,7 +122,7 @@ index fa7ed9b..eb082b7 100644
return;
tp = find_tabpage((int)tv_get_number_chk(&argvars[0], NULL));
-@@ -14714,7 +14728,7 @@ f_writefile(typval_T *argvars, typval_T *rettv)
+@@ -14714,7 +14728,7 @@ f_writefile(typval_T *argvars, typval_T
blob_T *blob = NULL;
rettv->vval.v_number = -1;
@@ -135,8 +131,6 @@ index fa7ed9b..eb082b7 100644
return;
if (argvars[0].v_type == VAR_LIST)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index a3974c1..681ef42 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4775,7 +4775,7 @@ check_restricted(void)
@@ -148,8 +142,6 @@ index a3974c1..681ef42 100644
return TRUE;
}
return FALSE;
-diff --git a/src/ex_docmd.c b/src/ex_docmd.c
-index b90ea7b..ccca2f9 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -2007,11 +2007,16 @@ do_one_cmd(
@@ -170,8 +162,6 @@ index b90ea7b..ccca2f9 100644
if (!curbuf->b_p_ma && (ea.argt & MODIFY))
{
/* Command not allowed in non-'modifiable' buffer */
-diff --git a/src/if_perl.xs b/src/if_perl.xs
-index 203bb6a..67d0b94 100644
--- a/src/if_perl.xs
+++ b/src/if_perl.xs
@@ -971,6 +971,7 @@ VIM_init(void)
@@ -206,7 +196,7 @@ index 203bb6a..67d0b94 100644
perl_eval_sv(sv, G_DISCARD | G_NOARGS);
SvREFCNT_dec(sv);
-@@ -1298,13 +1297,12 @@ do_perleval(char_u *str, typval_T *rettv)
+@@ -1298,13 +1297,12 @@ do_perleval(char_u *str, typval_T *rettv
ENTER;
SAVETMPS;
@@ -222,7 +212,7 @@ index 203bb6a..67d0b94 100644
else
# endif
{
-@@ -1320,7 +1318,6 @@ do_perleval(char_u *str, typval_T *rettv)
+@@ -1320,7 +1318,6 @@ do_perleval(char_u *str, typval_T *rettv
}
}
else
@@ -230,8 +220,6 @@ index 203bb6a..67d0b94 100644
sv = eval_pv((char *)str, 0);
if (sv) {
-diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
-index 5857a22..2ca5f2b 100644
--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
@@ -213,6 +213,7 @@ NEW_TESTS = \
@@ -250,9 +238,6 @@ index 5857a22..2ca5f2b 100644
test_retab.res \
test_ruby.res \
test_scriptnames.res \
-diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim
-new file mode 100644
-index 0000000..9dd937c
--- /dev/null
+++ b/src/testdir/test_restricted.vim
@@ -0,0 +1,107 @@
@@ -363,16 +348,14 @@ index 0000000..9dd937c
+ call Run_restricted_test('tcldo puts "Hello"', 'E981:')
+ call Run_restricted_test('tclfile somefile', 'E981:')
+endfunc
-diff --git a/src/version.c b/src/version.c
-index 1b5d863..adb3441 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -809,6 +809,8 @@ static int included_patches[] =
- 948,
+@@ -810,6 +810,8 @@ static int included_patches[] =
/**/
884,
-+/**/
-+ 881,
/**/
++ 881,
++/**/
878,
/**/
+ 875,
diff --git a/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch b/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
index 6f2d6eb..cbfbb19 100644
--- a/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
+++ b/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
@@ -10,8 +10,6 @@ Solution: Add mising changes in header file.
src/version.c | 2 ++
2 files changed, 25 insertions(+), 22 deletions(-)
-diff --git a/src/ex_cmds.h b/src/ex_cmds.h
-index 07afb00..eed4ce2 100644
--- a/src/ex_cmds.h
+++ b/src/ex_cmds.h
@@ -57,6 +57,7 @@
@@ -135,16 +133,14 @@ index 07afb00..eed4ce2 100644
ADDR_LINES),
EX(CMD_tearoff, "tearoff", ex_tearoff,
NEEDARG|EXTRA|TRLBAR|NOTRLCOM|CMDWIN,
-diff --git a/src/version.c b/src/version.c
-index adb3441..6d29f39 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -809,6 +809,8 @@ static int included_patches[] =
- 948,
+@@ -810,6 +810,8 @@ static int included_patches[] =
/**/
884,
-+/**/
-+ 883,
/**/
++ 883,
++/**/
881,
/**/
+ 878,
diff --git a/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch b/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
index 8d1eebc..22d3f2d 100644
--- a/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
+++ b/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
@@ -11,8 +11,6 @@ Solution: Fix handling allocated memory for 'vartabstop'. (closes #3976)
src/version.c | 2 ++
3 files changed, 12 insertions(+), 7 deletions(-)
-diff --git a/src/buffer.c b/src/buffer.c
-index 2c5c282..590a63c 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2170,9 +2170,7 @@ free_buf_options(
@@ -26,8 +24,6 @@ index 2c5c282..590a63c 100644
#endif
#ifdef FEAT_KEYMAP
clear_string_option(&buf->b_p_keymap);
-diff --git a/src/option.c b/src/option.c
-index e3f5f5d..4d067c0 100644
--- a/src/option.c
+++ b/src/option.c
@@ -5611,7 +5611,9 @@ didset_options2(void)
@@ -80,16 +76,14 @@ index e3f5f5d..4d067c0 100644
(*array)[0] = valcount;
t = 1;
-diff --git a/src/version.c b/src/version.c
-index 6d29f39..6bac28e 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -807,6 +807,8 @@ static int included_patches[] =
- 1046,
+@@ -808,6 +808,8 @@ static int included_patches[] =
/**/
948,
-+/**/
-+ 936,
/**/
++ 936,
++/**/
884,
/**/
+ 883,
diff --git a/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch b/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
index ca826e0..787f781 100644
--- a/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
+++ b/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
@@ -13,8 +13,6 @@ Solution: Check the number is positive.
src/version.c | 1 +
4 files changed, 32 insertions(+), 20 deletions(-)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index 681ef42..08d71e4 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -698,7 +698,7 @@ ex_retab(exarg_T *eap)
@@ -26,8 +24,6 @@ index 681ef42..08d71e4 100644
return;
while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
++(eap->arg);
-diff --git a/src/option.c b/src/option.c
-index 4d067c0..3ebd443 100644
--- a/src/option.c
+++ b/src/option.c
@@ -5612,9 +5612,9 @@ didset_options2(void)
@@ -170,8 +166,6 @@ index 4d067c0..3ebd443 100644
}
/*
-diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
-index f11a32b..e7b8946 100644
--- a/src/testdir/test_retab.vim
+++ b/src/testdir/test_retab.vim
@@ -74,4 +74,7 @@ endfunc
@@ -182,8 +176,6 @@ index f11a32b..e7b8946 100644
+ call assert_fails('ret 10000', 'E475:')
+ call assert_fails('ret 80000000000000000000', 'E475:')
endfunc
-diff --git a/src/version.c b/src/version.c
-index 6bac28e..bd19aac 100644
--- a/src/version.c
+++ b/src/version.c
@@ -2580,6 +2580,7 @@ static int included_patches[] =
diff --git a/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch b/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
index 18f205c..ceec31f 100644
--- a/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
+++ b/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
@@ -11,8 +11,6 @@ Solution: Free the memory. Make error messages consistent.
src/version.c | 1 +
3 files changed, 12 insertions(+), 2 deletions(-)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index 08d71e4..3200173 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -714,12 +714,18 @@ ex_retab(exarg_T *eap)
@@ -36,8 +34,6 @@ index 08d71e4..3200173 100644
if (new_ts == 0)
new_ts = curbuf->b_p_ts;
#endif
-diff --git a/src/option.c b/src/option.c
-index 3ebd443..12d903f 100644
--- a/src/option.c
+++ b/src/option.c
@@ -12859,9 +12859,12 @@ tabstop_set(char_u *var, int **array)
@@ -53,8 +49,6 @@ index 3ebd443..12d903f 100644
return FAIL;
}
(*array)[t++] = n;
-diff --git a/src/version.c b/src/version.c
-index bd19aac..cfe1486 100644
--- a/src/version.c
+++ b/src/version.c
@@ -2581,6 +2581,7 @@ static int included_patches[] =
diff --git a/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch b/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
index 0ad00be..3a2acff 100644
--- a/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
+++ b/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
@@ -12,11 +12,9 @@ Solution: Check for NUL when advancing.
src/version.c | 1 +
3 files changed, 13 insertions(+), 1 deletion(-)
-diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
-index 031a6cf..b9562c6 100644
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
-@@ -5414,7 +5414,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
+@@ -5414,7 +5414,8 @@ find_match_text(colnr_T startcol, int re
match = FALSE;
break;
}
@@ -26,8 +24,6 @@ index 031a6cf..b9562c6 100644
}
if (match
/* check that no composing char follows */
-diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
-index 98b9e73..75485dc 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -206,3 +206,13 @@ func Test_large_class()
@@ -44,8 +40,6 @@ index 98b9e73..75485dc 100644
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
-diff --git a/src/version.c b/src/version.c
-index cfe1486..a3eca1e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -2582,6 +2582,7 @@ static char *(extra_patches[]) =
diff --git a/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch b/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
index 16832ad..cdd37a0 100644
--- a/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
+++ b/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -11,8 +11,6 @@ Solution: Get the line pointer after calling ins_copychar().
src/version.c | 1 +
3 files changed, 22 insertions(+), 3 deletions(-)
-diff --git a/src/normal.c b/src/normal.c
-index 41af966..2c36c15 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -7056,19 +7056,23 @@ nv_replace(cmdarg_T *cap)
@@ -42,8 +40,6 @@ index 41af966..2c36c15 100644
if (p_sm && msg_silent == 0)
showmatch(cap->nchar);
++curwin->w_cursor.col;
-diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
-index 9a60d01..2e050c2 100644
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1436,3 +1436,17 @@ func Test_leave_insert_autocmd()
@@ -64,8 +60,6 @@ index 9a60d01..2e050c2 100644
+endfunc
+
+" vim: shiftwidth=2 sts=2 expandtab
-diff --git a/src/version.c b/src/version.c
-index a3eca1e..c4a502f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -2583,6 +2583,7 @@ static char *(extra_patches[]) =
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 15:00:34 +0000