summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch27
-rw-r--r--debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch28
-rw-r--r--debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch29
-rw-r--r--debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch85
-rw-r--r--debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch37
-rw-r--r--debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch36
-rw-r--r--debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch95
-rw-r--r--debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch64
-rw-r--r--debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch63
-rw-r--r--debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch588
-rw-r--r--debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch54
-rw-r--r--debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch42
-rw-r--r--debian/patches/patch-8.1.1382-error-when-editing-test-file.patch71
-rw-r--r--debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch69
-rw-r--r--debian/patches/series23
-rw-r--r--debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch89
-rw-r--r--debian/patches/upstream/deb-release-names.patch58
-rw-r--r--debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch378
-rw-r--r--debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch150
-rw-r--r--debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch95
-rw-r--r--debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch196
-rw-r--r--debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch67
-rw-r--r--debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch58
-rw-r--r--debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch78
24 files changed, 2480 insertions, 0 deletions
diff --git a/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
new file mode 100644
index 0000000..9cb8486
--- /dev/null
+++ b/debian/patches/debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
@@ -0,0 +1,27 @@
+From: Stefano Zacchiroli <zack@debian.org>
+Date: Fri, 25 Aug 2006 13:33:04 +0200
+Subject: Add recognition of more LaTeX commands for tex filetype detection
+
+Since filetype detection of TeX files defaults to plaintex, we've added
+detection of some additional LaTeX commands to help sway the detection
+to LaTeX.
+
+Closes: #384479
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/autoload/dist/ft.vim | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/autoload/dist/ft.vim b/runtime/autoload/dist/ft.vim
+index de45faa..6a4294c 100644
+--- a/runtime/autoload/dist/ft.vim
++++ b/runtime/autoload/dist/ft.vim
+@@ -665,7 +665,7 @@ func dist#ft#FTtex()
+ call cursor(1,1)
+ let firstNC = search('^\s*[^[:space:]%]', 'c', 1000)
+ if firstNC " Check the next thousand lines for a LaTeX or ConTeXt keyword.
+- let lpat = 'documentclass\>\|usepackage\>\|begin{\|newcommand\>\|renewcommand\>'
++ let lpat = 'documentclass\>\|usepackage\>\|begin{\|newcommand\>\|renewcommand\>\|part\>\|chapter\>\|section\>\|subsection\>\|subsubsection\>\|paragraph\>\|subparagraph\>\|subsubparagraph'
+ let cpat = 'start\a\+\|setup\a\+\|usemodule\|enablemode\|enableregime\|setvariables\|useencoding\|usesymbols\|stelle\a\+\|verwende\a\+\|stel\a\+\|gebruik\a\+\|usa\a\+\|imposta\a\+\|regle\a\+\|utilisemodule\>'
+ let kwline = search('^\s*\\\%(' . lpat . '\)\|^\s*\\\(' . cpat . '\)',
+ \ 'cnp', firstNC + 1000)
diff --git a/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
new file mode 100644
index 0000000..8c23cad
--- /dev/null
+++ b/debian/patches/debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
@@ -0,0 +1,28 @@
+From: James Vega <jamessan@debian.org>
+Date: Fri, 18 Aug 2006 09:06:20 -0400
+Subject: Detect the rst filetype using the contents of the file
+
+Closes: #382541
+---
+ runtime/scripts.vim | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/runtime/scripts.vim b/runtime/scripts.vim
+index ab66c0c..a755bc7 100644
+--- a/runtime/scripts.vim
++++ b/runtime/scripts.vim
+@@ -356,6 +356,14 @@ else
+ elseif s:line1 =~# 'exec\s\+\S*scheme' || s:line2 =~# 'exec\s\+\S*scheme'
+ set ft=scheme
+
++ " rst files
++ elseif s:line1 =~ '^\.\.\s\|^\s*restindex\s*$'
++ \ || s:line2 =~ '^\.\.\s\|^\s*restindex\s*$'
++ \ || s:line3 =~ '^\.\.\s\|^\s*restindex\s*$'
++ \ || s:line4 =~ '^\.\.\s\|^\s*restindex\s*$'
++ \ || s:line5 =~ '^\.\.\s\|^\s*restindex\s*$'
++ set ft=rst
++
+ " Git output
+ elseif s:line1 =~# '^\(commit\|tree\|object\) \x\{40\}\>\|^tag \S\+$'
+ set ft=git
diff --git a/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
new file mode 100644
index 0000000..7c23fbb
--- /dev/null
+++ b/debian/patches/debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
@@ -0,0 +1,29 @@
+From: James Vega <jamessan@debian.org>
+Date: Thu, 27 Mar 2008 03:42:02 +0000
+Subject: Document Debian's decision to disable modelines by default
+
+Modelines have historically been a source of vulnerabilities in Vim.
+As long as it remains a "blacklist suspected/proven dangerous options"
+instead of a "whitelist allowed options" piece of functionality,
+Debian's system-wide vimrc will maintain this setting. As such, the
+documentation needs to be updated to reflect the induced behavior.
+
+Closes: #472522
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/doc/options.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
+index c9e2b0b..c269fea 100644
+--- a/runtime/doc/options.txt
++++ b/runtime/doc/options.txt
+@@ -5392,7 +5392,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ *'modeline'* *'ml'* *'nomodeline'* *'noml'*
+ 'modeline' 'ml' boolean (Vim default: on (off for root),
+- Vi default: off)
++ Debian: off, Vi default: off)
+ local to buffer
+ *'modelines'* *'mls'*
+ 'modelines' 'mls' number (default 5)
diff --git a/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
new file mode 100644
index 0000000..4822934
--- /dev/null
+++ b/debian/patches/debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
@@ -0,0 +1,85 @@
+From: James McCoy <jamessan@debian.org>
+Date: Tue, 6 Oct 2015 23:46:30 -0400
+Subject: Support sourcing a vimrc.tiny when Vim is invoked as vi
+
+This is used only in the vim-tiny package to allow a specific
+configuration for vim-tiny's vi. The vim-tiny package is substantially
+different from other Vim packages, so it does not make sense to
+share the same config.
+
+Closes: #222138
+Signed-off-by: Stefano Zacchiroli <zack@debian.org>
+Signed-off-by: James Vega <jamessan@debian.org>
+---
+ src/main.c | 14 +++++++++++++-
+ src/os_unix.h | 3 +++
+ src/structs.h | 3 +++
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/main.c b/src/main.c
+index df204bc..cb31bf1 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -1786,6 +1786,10 @@ parse_command_name(mparm_T *parmp)
+ }
+ else if (STRNICMP(initstr, "vim", 3) == 0)
+ initstr += 3;
++#ifdef SYS_TINYRC_FILE
++ else if (STRNICMP(initstr, "vi", 2) == 0)
++ parmp->vi_mode = TRUE;
++#endif
+
+ // Catch "[r][g]vimdiff" and "[r][g]viewdiff".
+ if (STRICMP(initstr, "diff") == 0)
+@@ -3032,7 +3036,12 @@ source_startup_scripts(mparm_T *parmp)
+ * Get system wide defaults, if the file name is defined.
+ */
+ #ifdef SYS_VIMRC_FILE
+- (void)do_source((char_u *)SYS_VIMRC_FILE, FALSE, DOSO_NONE);
++# if defined(SYS_TINYRC_FILE) && defined(TINY_VIMRC)
++ if (parmp->vi_mode)
++ (void)do_source((char_u *)SYS_TINYRC_FILE, FALSE, DOSO_NONE);
++ else
++# endif
++ (void)do_source((char_u *)SYS_VIMRC_FILE, FALSE, DOSO_NONE);
+ #endif
+ #ifdef MACOS_X
+ (void)do_source((char_u *)"$VIMRUNTIME/macmap.vim", FALSE, DOSO_NONE);
+@@ -3067,6 +3076,9 @@ source_startup_scripts(mparm_T *parmp)
+ && do_source((char_u *)USR_EXRC_FILE, FALSE, DOSO_NONE) == FAIL
+ #ifdef USR_EXRC_FILE2
+ && do_source((char_u *)USR_EXRC_FILE2, FALSE, DOSO_NONE) == FAIL
++#endif
++#if defined(SYS_TINYRC_FILE) && defined(TINY_VIMRC)
++ && !parmp->vi_mode
+ #endif
+ && !has_dash_c_arg)
+ {
+diff --git a/src/os_unix.h b/src/os_unix.h
+index 8919ff0..fcc82eb 100644
+--- a/src/os_unix.h
++++ b/src/os_unix.h
+@@ -213,6 +213,9 @@ typedef struct dsc$descriptor DESC;
+ /*
+ * Unix system-dependent file names
+ */
++#ifndef SYS_TINYRC_FILE
++# define SYS_TINYRC_FILE "$VIM/vimrc.tiny"
++#endif
+ #ifndef SYS_VIMRC_FILE
+ # define SYS_VIMRC_FILE "$VIM/vimrc"
+ #endif
+diff --git a/src/structs.h b/src/structs.h
+index 5d0541b..d2ca1fc 100644
+--- a/src/structs.h
++++ b/src/structs.h
+@@ -3472,6 +3472,9 @@ typedef struct
+ #ifdef FEAT_DIFF
+ int diff_mode; /* start with 'diff' set */
+ #endif
++#ifdef SYS_TINYRC_FILE
++ int vi_mode; /* started as "vi" */
++#endif
+ } mparm_T;
+
+ /*
diff --git a/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch b/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
new file mode 100644
index 0000000..9ffbc87
--- /dev/null
+++ b/debian/patches/patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
@@ -0,0 +1,37 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 7 Feb 2019 21:27:14 +0100
+Subject: patch 8.1.0878: test for has('bsd') fails on some BSD systems
+
+Problem: Test for has('bsd') fails on some BSD systems.
+Solution: Adjust the uname match. (James McCoy, closes #3909)
+---
+ src/testdir/test_functions.vim | 2 ++
+ src/version.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim
+index b08d9aa..e75a896 100644
+--- a/src/testdir/test_functions.vim
++++ b/src/testdir/test_functions.vim
+@@ -1238,6 +1238,8 @@ func Test_platform_name()
+ let uname = system('uname')
+ call assert_equal(uname =~? 'BeOS', has('beos'))
+ call assert_equal(uname =~? 'BSD\|DragonFly', has('bsd'))
++ " GNU userland on BSD kernels (e.g., GNU/kFreeBSD) don't have BSD defined
++ call assert_equal(uname =~? '\%(GNU/k\w\+\)\@<!BSD\|DragonFly', has('bsd'))
+ call assert_equal(uname =~? 'HP-UX', has('hpux'))
+ call assert_equal(uname =~? 'Linux', has('linux'))
+ call assert_equal(uname =~? 'Darwin', has('mac'))
+diff --git a/src/version.c b/src/version.c
+index 0b86826..f5f9439 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 878,
+ /**/
+ 875,
+ /**/
diff --git a/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch b/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch
new file mode 100644
index 0000000..6888aed
--- /dev/null
+++ b/debian/patches/patch-8.1.0884-double-check-for-bsd-systems.patch
@@ -0,0 +1,36 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Feb 2019 23:09:48 +0100
+Subject: patch 8.1.0884: double check for bsd systems
+
+Problem: Double check for bsd systems.
+Solution: Delete the old line.
+---
+ src/testdir/test_functions.vim | 1 -
+ src/version.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_functions.vim b/src/testdir/test_functions.vim
+index e75a896..69e6ce0 100644
+--- a/src/testdir/test_functions.vim
++++ b/src/testdir/test_functions.vim
+@@ -1237,7 +1237,6 @@ func Test_platform_name()
+ if has('unix') && executable('uname')
+ let uname = system('uname')
+ call assert_equal(uname =~? 'BeOS', has('beos'))
+- call assert_equal(uname =~? 'BSD\|DragonFly', has('bsd'))
+ " GNU userland on BSD kernels (e.g., GNU/kFreeBSD) don't have BSD defined
+ call assert_equal(uname =~? '\%(GNU/k\w\+\)\@<!BSD\|DragonFly', has('bsd'))
+ call assert_equal(uname =~? 'HP-UX', has('hpux'))
+diff --git a/src/version.c b/src/version.c
+index f5f9439..46f63e7 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 884,
+ /**/
+ 878,
+ /**/
diff --git a/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch b/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
new file mode 100644
index 0000000..8544ba9
--- /dev/null
+++ b/debian/patches/patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
@@ -0,0 +1,95 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 18 Feb 2019 21:32:28 +0100
+Subject: patch 8.1.0948: when built without +eval "Vim --clean" produces
+ errors
+
+Problem: When built without +eval "Vim --clean" produces errors. (James
+ McCoy)
+Solution: Do not enable filetype detection.
+---
+ runtime/defaults.vim | 51 ++++++++++++++++++++++++++++-----------------------
+ src/version.c | 2 ++
+ 2 files changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/runtime/defaults.vim b/runtime/defaults.vim
+index b848217..e8a0ff4 100644
+--- a/runtime/defaults.vim
++++ b/runtime/defaults.vim
+@@ -1,7 +1,7 @@
+ " The default vimrc file.
+ "
+ " Maintainer: Bram Moolenaar <Bram@vim.org>
+-" Last change: 2019 Jan 26
++" Last change: 2019 Feb 18
+ "
+ " This is loaded if no vimrc file was found.
+ " Except when Vim is run with "-u NONE" or "-C".
+@@ -90,28 +90,33 @@ if &t_Co > 2 || has("gui_running")
+ let c_comment_strings=1
+ endif
+
+-" Enable file type detection.
+-" Use the default filetype settings, so that mail gets 'tw' set to 72,
+-" 'cindent' is on in C files, etc.
+-" Also load indent files, to automatically do language-dependent indenting.
+-" Revert with ":filetype off".
+-filetype plugin indent on
+-
+-" Put these in an autocmd group, so that you can revert them with:
+-" ":augroup vimStartup | au! | augroup END"
+-augroup vimStartup
+- au!
+-
+- " When editing a file, always jump to the last known cursor position.
+- " Don't do it when the position is invalid, when inside an event handler
+- " (happens when dropping a file on gvim) and for a commit message (it's
+- " likely a different one than last time).
+- autocmd BufReadPost *
+- \ if line("'\"") >= 1 && line("'\"") <= line("$") && &ft !~# 'commit'
+- \ | exe "normal! g`\""
+- \ | endif
+-
+-augroup END
++" Only do this part when Vim was compiled with the +eval feature.
++if 1
++
++ " Enable file type detection.
++ " Use the default filetype settings, so that mail gets 'tw' set to 72,
++ " 'cindent' is on in C files, etc.
++ " Also load indent files, to automatically do language-dependent indenting.
++ " Revert with ":filetype off".
++ filetype plugin indent on
++
++ " Put these in an autocmd group, so that you can revert them with:
++ " ":augroup vimStartup | au! | augroup END"
++ augroup vimStartup
++ au!
++
++ " When editing a file, always jump to the last known cursor position.
++ " Don't do it when the position is invalid, when inside an event handler
++ " (happens when dropping a file on gvim) and for a commit message (it's
++ " likely a different one than last time).
++ autocmd BufReadPost *
++ \ if line("'\"") >= 1 && line("'\"") <= line("$") && &ft !~# 'commit'
++ \ | exe "normal! g`\""
++ \ | endif
++
++ augroup END
++
++endif
+
+ " Convenient command to see the difference between the current buffer and the
+ " file it was loaded from, thus the changes you made.
+diff --git a/src/version.c b/src/version.c
+index 46f63e7..b59878e 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 948,
+ /**/
+ 884,
+ /**/
diff --git a/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch b/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
new file mode 100644
index 0000000..bc56542
--- /dev/null
+++ b/debian/patches/patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
@@ -0,0 +1,64 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 24 Mar 2019 14:02:04 +0100
+Subject: patch 8.1.1046: the "secure" variable is used inconsistently
+
+Problem: the "secure" variable is used inconsistently. (Justin M. Keyes)
+Solution: Set it to one instead of incrementing.
+
+(cherry picked from commit 82b033eff82d3ed0da77fd5f5a1c023766acabba)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ src/buffer.c | 2 +-
+ src/option.c | 9 ++++-----
+ src/version.c | 2 ++
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 98d505f..2c5c282 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -5510,7 +5510,7 @@ chk_modeline(
+ current_sctx.sc_lnum = 0;
+ #endif
+ // Make sure no risky things are executed as a side effect.
+- ++secure;
++ secure = 1;
+
+ retval = do_set(s, OPT_MODELINE | OPT_LOCAL | flags);
+
+diff --git a/src/option.c b/src/option.c
+index 77d1024..4b6157d 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -5161,13 +5161,12 @@ do_set(
+ // effects in secure mode. Also when the value was
+ // set with the P_INSECURE flag and is not
+ // completely replaced.
+- if (secure
++ if ((opt_flags & OPT_MODELINE)
+ #ifdef HAVE_SANDBOX
+- || sandbox != 0
++ || sandbox != 0
+ #endif
+- || (opt_flags & OPT_MODELINE)
+- || (!value_is_replaced && (*p & P_INSECURE)))
+- ++secure;
++ || (!value_is_replaced && (*p & P_INSECURE)))
++ secure = 1;
+
+ // Handle side effects, and set the global value
+ // for ":set" on local options. Note: when setting
+diff --git a/src/version.c b/src/version.c
+index b59878e..1a7ffa4 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1046,
+ /**/
+ 948,
+ /**/
diff --git a/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch b/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
new file mode 100644
index 0000000..0124ad8
--- /dev/null
+++ b/debian/patches/patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
@@ -0,0 +1,63 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 May 2019 22:38:25 +0200
+Subject: patch 8.1.1365: source command doesn't check for the sandbox
+
+Problem: Source command doesn't check for the sandbox. (Armin Razmjou)
+Solution: Check for the sandbox when sourcing a file.
+
+(cherry picked from commit 53575521406739cf20bbe4e384d88e7dca11f040)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ src/getchar.c | 6 ++++++
+ src/testdir/test_source.vim | 9 +++++++++
+ src/version.c | 2 ++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index fe74dbf..3e4c964 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -1407,6 +1407,12 @@ openscript(
+ emsg(_(e_nesting));
+ return;
+ }
++
++ // Disallow sourcing a file in the sandbox, the commands would be executed
++ // later, possibly outside of the sandbox.
++ if (check_secure())
++ return;
++
+ #ifdef FEAT_EVAL
+ if (ignore_script)
+ /* Not reading from script, also don't open one. Warning message? */
+diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim
+index a33d286..5166baf 100644
+--- a/src/testdir/test_source.vim
++++ b/src/testdir/test_source.vim
+@@ -36,3 +36,12 @@ func Test_source_cmd()
+ au! SourcePre
+ au! SourcePost
+ endfunc
++
++func Test_source_sandbox()
++ new
++ call writefile(["Ohello\<Esc>"], 'Xsourcehello')
++ source! Xsourcehello | echo
++ call assert_equal('hello', getline(1))
++ call assert_fails('sandbox source! Xsourcehello', 'E48:')
++ bwipe!
++endfunc
+diff --git a/src/version.c b/src/version.c
+index 1a7ffa4..3040409 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1365,
+ /**/
+ 1046,
+ /**/
diff --git a/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch b/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
new file mode 100644
index 0000000..6918fc7
--- /dev/null
+++ b/debian/patches/patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
@@ -0,0 +1,588 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 23 May 2019 15:38:06 +0200
+Subject: patch 8.1.1366: using expressions in a modeline is unsafe
+
+Problem: Using expressions in a modeline is unsafe.
+Solution: Disallow using expressions in a modeline, unless the
+ 'modelineexpr' option is set. Update help, add more tests.
+
+(cherry picked from commit 110289e78195b6d01e1e6ad26ad450de476d41c1)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/doc/options.txt | 69 +++++++++++++++++++++++++++-----
+ src/option.c | 35 ++++++++++------
+ src/option.h | 1 +
+ src/testdir/test49.in | 2 +-
+ src/testdir/test_modeline.vim | 93 +++++++++++++++++++++++++++++++++++++++----
+ src/version.c | 2 +
+ 6 files changed, 169 insertions(+), 33 deletions(-)
+
+diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
+index c269fea..7b25f20 100644
+--- a/runtime/doc/options.txt
++++ b/runtime/doc/options.txt
+@@ -1,4 +1,4 @@
+-*options.txt* For Vim version 8.1. Last change: 2019 Feb 03
++*options.txt* For Vim version 8.1. Last change: 2019 May 23
+
+
+ VIM REFERENCE MANUAL by Bram Moolenaar
+@@ -588,14 +588,17 @@ backslash in front of the ':' will be removed. Example:
+ /* vi:set dir=c\:\tmp: */ ~
+ This sets the 'dir' option to "c:\tmp". Only a single backslash before the
+ ':' is removed. Thus to include "\:" you have to specify "\\:".
+-
++ *E992*
+ No other commands than "set" are supported, for security reasons (somebody
+ might create a Trojan horse text file with modelines). And not all options
+-can be set. For some options a flag is set, so that when it's used the
+-|sandbox| is effective. Still, there is always a small risk that a modeline
+-causes trouble. E.g., when some joker sets 'textwidth' to 5 all your lines
+-are wrapped unexpectedly. So disable modelines before editing untrusted text.
+-The mail ftplugin does this, for example.
++can be set. For some options a flag is set, so that when the value is used
++the |sandbox| is effective. Some options can only be set from the modeline
++when 'modelineexpr' is set (the default is off).
++
++Still, there is always a small risk that a modeline causes trouble. E.g.,
++when some joker sets 'textwidth' to 5 all your lines are wrapped unexpectedly.
++So disable modelines before editing untrusted text. The mail ftplugin does
++this, for example.
+
+ Hint: If you would like to do something else than setting an option, you could
+ define an autocommand that checks the file for a specific string. For
+@@ -1189,6 +1192,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ The expression will be evaluated in the |sandbox| when set from a
+ modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'balloonexpr' |textlock|.
+@@ -3354,7 +3358,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+ The expression will be evaluated in the |sandbox| if set from a
+ modeline, see |sandbox-option|.
+ This option can't be set from a |modeline| when the 'diff' option is
+- on.
++ on or the 'modelineexpr' option is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'foldexpr' |textlock|.
+@@ -3496,6 +3500,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ The expression will be evaluated in the |sandbox| if set from a
+ modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'foldtext' |textlock|.
+@@ -3534,6 +3539,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+ The expression will be evaluated in the |sandbox| when set from a
+ modeline, see |sandbox-option|. That stops the option from working,
+ since changing the buffer text is not allowed.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+ NOTE: This option is set to "" when 'compatible' is set.
+
+ *'formatoptions'* *'fo'*
+@@ -3594,6 +3600,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ Also see 'swapsync' for controlling fsync() on swap files.
+ 'fsync' also applies to |writefile()|, unless a flag is used to
+ overrule it.
++ This option cannot be set from a |modeline| or in the |sandbox|, for
++ security reasons.
+
+ *'gdefault'* *'gd'* *'nogdefault'* *'nogd'*
+ 'gdefault' 'gd' boolean (default off)
+@@ -3888,7 +3896,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+ *'guiheadroom'* *'ghr'*
+ 'guiheadroom' 'ghr' number (default 50)
+ global
+- {not in Vi} {only for GTK and X11 GUI}
++ {only for GTK and X11 GUI}
+ The number of pixels subtracted from the screen height when fitting
+ the GUI window on the screen. Set this before the GUI is started,
+ e.g., in your |gvimrc| file. When zero, the whole screen height will
+@@ -4049,6 +4057,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+ 'guitabtooltip' is used for the tooltip, see below.
+ The expression will be evaluated in the |sandbox| when set from a
+ modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ Only used when the GUI tab pages line is displayed. 'e' must be
+ present in 'guioptions'. For the non-GUI tab pages line 'tabline' is
+@@ -4311,6 +4320,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+ When this option contains printf-style '%' items, they will be
+ expanded according to the rules used for 'statusline'. See
+ 'titlestring' for example settings.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+ {not available when compiled without the |+statusline| feature}
+
+ *'ignorecase'* *'ic'* *'noignorecase'* *'noic'*
+@@ -4331,6 +4341,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ This option specifies a function that will be called to
+ activate or deactivate the Input Method.
+ It is not used in the GUI.
++ The expression will be evaluated in the |sandbox| when set from a
++ modeline, see |sandbox-option|.
+
+ Example: >
+ function ImActivateFunc(active)
+@@ -4459,6 +4471,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ set imstatusfunc=ImStatusFunc
+ <
+ NOTE: This function is invoked very often. Keep it fast.
++ The expression will be evaluated in the |sandbox| when set from a
++ modeline, see |sandbox-option|.
+
+ *'imstyle'* *'imst'*
+ 'imstyle' 'imst' number (default 1)
+@@ -4476,6 +4490,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ |single-repeat|, etc. Therefore over-the-spot style becomes the
+ default now. This should work fine for most people, however if you
+ have any problem with it, try using on-the-spot style.
++ The expression will be evaluated in the |sandbox| when set from a
++ modeline, see |sandbox-option|.
+
+ *'include'* *'inc'*
+ 'include' 'inc' string (default "^\s*#\s*include")
+@@ -4512,6 +4528,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ The expression will be evaluated in the |sandbox| when set from a
+ modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'includeexpr' |textlock|.
+@@ -4601,6 +4618,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ The expression will be evaluated in the |sandbox| when set from a
+ modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'indentexpr' |textlock|.
+@@ -5227,6 +5245,12 @@ A jump table for the options with a short description can be found at |Q_op|.
+ < This option cannot be set from a |modeline| or in the |sandbox|, for
+ security reasons.
+
++ *'makespellmem'* *'msm'*
++'makespellmem' 'msm' string (default "460000,2000,500")
++ global
++ Values relevant only when compressing a spell file, see |spell|.
++ This option cannot be set from a |modeline| or in the |sandbox|.
++
+ *'matchpairs'* *'mps'*
+ 'matchpairs' 'mps' string (default "(:),{:},[:]")
+ local to buffer
+@@ -5250,7 +5274,6 @@ A jump table for the options with a short description can be found at |Q_op|.
+ *'matchtime'* *'mat'*
+ 'matchtime' 'mat' number (default 5)
+ global
+- {not in Vi}{in Nvi}
+ Tenths of a second to show the matching paren, when 'showmatch' is
+ set. Note that this is not in milliseconds, like other options that
+ set a time. This is to be compatible with Nvi.
+@@ -5394,6 +5417,17 @@ A jump table for the options with a short description can be found at |Q_op|.
+ 'modeline' 'ml' boolean (Vim default: on (off for root),
+ Debian: off, Vi default: off)
+ local to buffer
++ If 'modeline' is on 'modelines' gives the number of lines that is
++ checked for set commands. If 'modeline' is off or 'modelines' is zero
++ no lines are checked. See |modeline|.
++
++ *'modelineexpr'* *'mle'* *'nomodelineexpr'* *'nomle'*
++'modelineexpr' 'mle' boolean (default: off)
++ global
++ When on allow some options that are an expression to be set in the
++ modeline. Check the option for whether it is affected by
++ 'modelineexpr'. Also see |modeline|.
++
+ *'modelines'* *'mls'*
+ 'modelines' 'mls' number (default 5)
+ global
+@@ -5405,9 +5439,9 @@ A jump table for the options with a short description can be found at |Q_op|.
+ set and to the Vim default value when 'compatible' is reset.
+
+ *'modifiable'* *'ma'* *'nomodifiable'* *'noma'*
++ *E21*
+ 'modifiable' 'ma' boolean (default on)
+ local to buffer
+- {not in Vi} *E21*
+ When off the buffer contents cannot be changed. The 'fileformat' and
+ 'fileencoding' options also can't be changed.
+ Can be reset on startup with the |-M| command line argument.
+@@ -6456,6 +6490,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ When this option is not empty, it determines the content of the ruler
+ string, as displayed for the 'ruler' option.
+ The format of this option is like that of 'statusline'.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
++
+ The default ruler width is 17 characters. To make the ruler 15
+ characters wide, put "%15(" at the start and "%)" at the end.
+ Example: >
+@@ -7016,6 +7052,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ q use "recording" instead of "recording @a"
+ F don't give the file info when editing a file, like `:silent`
+ was used for the command
++ was used for the command; note that this also affects messages
++ from autocommands
+
+ This gives you the opportunity to avoid that a change between buffers
+ requires you to hit <Enter>, but still gives as useful a message as
+@@ -7600,6 +7638,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ The 'statusline' option will be evaluated in the |sandbox| if set from
+ a modeline, see |sandbox-option|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ It is not allowed to change text or jump to another window while
+ evaluating 'statusline' |textlock|.
+@@ -7786,6 +7825,7 @@ A jump table for the options with a short description can be found at |Q_op|.
+
+ When changing something that is used in 'tabline' that does not
+ trigger it to be updated, use |:redrawtabline|.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
+
+ Keep in mind that only one of the tab pages is the current one, others
+ are invisible and you can't jump to their windows.
+@@ -8329,8 +8369,11 @@ A jump table for the options with a short description can be found at |Q_op|.
+ non-empty 't_ts' option).
+ When Vim was compiled with HAVE_X11 defined, the original title will
+ be restored if possible, see |X11|.
++
+ When this option contains printf-style '%' items, they will be
+ expanded according to the rules used for 'statusline'.
++ This option cannot be set in a modeline when 'modelineexpr' is off.
++
+ Example: >
+ :auto BufEnter * let &titlestring = hostname() . "/" . expand("%:p")
+ :set title titlestring=%<%F%=%l/%L-%P titlelen=70
+@@ -8520,6 +8563,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ undo file that exists is used. When it cannot be read an error is
+ given, no further entry is used.
+ See |undo-persistence|.
++ This option cannot be set from a |modeline| or in the |sandbox|, for
++ security reasons.
+
+ *'undofile'* *'noundofile'* *'udf'* *'noudf'*
+ 'undofile' 'udf' boolean (default off)
+@@ -8843,6 +8888,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ When equal to "NONE" no viminfo file will be read or written.
+ This option can be set with the |-i| command line flag. The |--clean|
+ command line flag sets it to "NONE".
++ This option cannot be set from a |modeline| or in the |sandbox|, for
++ security reasons.
+
+ *'virtualedit'* *'ve'*
+ 'virtualedit' 've' string (default "")
+diff --git a/src/option.c b/src/option.c
+index 4b6157d..e1e89d5 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -462,6 +462,7 @@ struct vimoption
+ * there is a redraw flag */
+ #define P_NDNAME 0x8000000L /* only normal dir name chars allowed */
+ #define P_RWINONLY 0x10000000L /* only redraw current window */
++#define P_MLE 0x20000000L /* under control of 'modelineexpr' */
+
+ #define ISK_LATIN1 (char_u *)"@,48-57,_,192-255"
+
+@@ -649,7 +650,7 @@ static struct vimoption options[] =
+ {(char_u *)0L, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"balloonexpr", "bexpr", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM,
++ {"balloonexpr", "bexpr", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM|P_MLE,
+ #if defined(FEAT_BEVAL) && defined(FEAT_EVAL)
+ (char_u *)&p_bexpr, PV_BEXPR,
+ {(char_u *)"", (char_u *)0L}
+@@ -726,7 +727,7 @@ static struct vimoption options[] =
+ (char_u *)&p_cmp, PV_NONE,
+ {(char_u *)"internal,keepascii", (char_u *)0L}
+ SCTX_INIT},
+- {"cdpath", "cd", P_STRING|P_EXPAND|P_VI_DEF|P_COMMA|P_NODUP,
++ {"cdpath", "cd", P_STRING|P_EXPAND|P_VI_DEF|P_SECURE|P_COMMA|P_NODUP,
+ #ifdef FEAT_SEARCHPATH
+ (char_u *)&p_cdpath, PV_NONE,
+ {(char_u *)",,", (char_u *)0L}
+@@ -1178,7 +1179,7 @@ static struct vimoption options[] =
+ {(char_u *)NULL, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"foldexpr", "fde", P_STRING|P_ALLOCED|P_VIM|P_VI_DEF|P_RWIN,
++ {"foldexpr", "fde", P_STRING|P_ALLOCED|P_VIM|P_VI_DEF|P_RWIN|P_MLE,
+ #if defined(FEAT_FOLDING) && defined(FEAT_EVAL)
+ (char_u *)VAR_WIN, PV_FDE,
+ {(char_u *)"0", (char_u *)NULL}
+@@ -1261,7 +1262,7 @@ static struct vimoption options[] =
+ {(char_u *)NULL, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"foldtext", "fdt", P_STRING|P_ALLOCED|P_VIM|P_VI_DEF|P_RWIN,
++ {"foldtext", "fdt", P_STRING|P_ALLOCED|P_VIM|P_VI_DEF|P_RWIN|P_MLE,
+ #if defined(FEAT_FOLDING) && defined(FEAT_EVAL)
+ (char_u *)VAR_WIN, PV_FDT,
+ {(char_u *)"foldtext()", (char_u *)NULL}
+@@ -1270,7 +1271,7 @@ static struct vimoption options[] =
+ {(char_u *)NULL, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"formatexpr", "fex", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM,
++ {"formatexpr", "fex", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM|P_MLE,
+ #ifdef FEAT_EVAL
+ (char_u *)&p_fex, PV_FEX,
+ {(char_u *)"", (char_u *)0L}
+@@ -1409,7 +1410,7 @@ static struct vimoption options[] =
+ (char_u *)NULL, PV_NONE,
+ #endif
+ {(char_u *)TRUE, (char_u *)0L} SCTX_INIT},
+- {"guitablabel", "gtl", P_STRING|P_VI_DEF|P_RWIN,
++ {"guitablabel", "gtl", P_STRING|P_VI_DEF|P_RWIN|P_MLE,
+ #if defined(FEAT_GUI_TABLINE)
+ (char_u *)&p_gtl, PV_NONE,
+ {(char_u *)"", (char_u *)0L}
+@@ -1480,7 +1481,7 @@ static struct vimoption options[] =
+ (char_u *)NULL, PV_NONE,
+ #endif
+ {(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
+- {"iconstring", NULL, P_STRING|P_VI_DEF,
++ {"iconstring", NULL, P_STRING|P_VI_DEF|P_MLE,
+ #ifdef FEAT_TITLE
+ (char_u *)&p_iconstring, PV_NONE,
+ #else
+@@ -1552,7 +1553,7 @@ static struct vimoption options[] =
+ {(char_u *)0L, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"includeexpr", "inex", P_STRING|P_ALLOCED|P_VI_DEF,
++ {"includeexpr", "inex", P_STRING|P_ALLOCED|P_VI_DEF|P_MLE,
+ #if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
+ (char_u *)&p_inex, PV_INEX,
+ {(char_u *)"", (char_u *)0L}
+@@ -1564,7 +1565,7 @@ static struct vimoption options[] =
+ {"incsearch", "is", P_BOOL|P_VI_DEF|P_VIM,
+ (char_u *)&p_is, PV_NONE,
+ {(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
+- {"indentexpr", "inde", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM,
++ {"indentexpr", "inde", P_STRING|P_ALLOCED|P_VI_DEF|P_VIM|P_MLE,
+ #if defined(FEAT_CINDENT) && defined(FEAT_EVAL)
+ (char_u *)&p_inde, PV_INDE,
+ {(char_u *)"", (char_u *)0L}
+@@ -1891,6 +1892,9 @@ static struct vimoption options[] =
+ {"modeline", "ml", P_BOOL|P_VIM,
+ (char_u *)&p_ml, PV_ML,
+ {(char_u *)FALSE, (char_u *)TRUE} SCTX_INIT},
++ {"modelineexpr", "mle", P_BOOL|P_VI_DEF,
++ (char_u *)&p_mle, PV_NONE,
++ {(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
+ {"modelines", "mls", P_NUM|P_VI_DEF,
+ (char_u *)&p_mls, PV_NONE,
+ {(char_u *)5L, (char_u *)0L} SCTX_INIT},
+@@ -2314,7 +2318,7 @@ static struct vimoption options[] =
+ (char_u *)NULL, PV_NONE,
+ #endif
+ {(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
+- {"rulerformat", "ruf", P_STRING|P_VI_DEF|P_ALLOCED|P_RSTAT,
++ {"rulerformat", "ruf", P_STRING|P_VI_DEF|P_ALLOCED|P_RSTAT|P_MLE,
+ #ifdef FEAT_STL_OPT
+ (char_u *)&p_ruf, PV_NONE,
+ #else
+@@ -2580,7 +2584,7 @@ static struct vimoption options[] =
+ {"startofline", "sol", P_BOOL|P_VI_DEF|P_VIM,
+ (char_u *)&p_sol, PV_NONE,
+ {(char_u *)TRUE, (char_u *)0L} SCTX_INIT},
+- {"statusline" ,"stl", P_STRING|P_VI_DEF|P_ALLOCED|P_RSTAT,
++ {"statusline" ,"stl", P_STRING|P_VI_DEF|P_ALLOCED|P_RSTAT|P_MLE,
+ #ifdef FEAT_STL_OPT
+ (char_u *)&p_stl, PV_STL,
+ #else
+@@ -2627,7 +2631,7 @@ static struct vimoption options[] =
+ {(char_u *)0L, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"tabline", "tal", P_STRING|P_VI_DEF|P_RALL,
++ {"tabline", "tal", P_STRING|P_VI_DEF|P_RALL|P_MLE,
+ #ifdef FEAT_STL_OPT
+ (char_u *)&p_tal, PV_NONE,
+ #else
+@@ -2796,7 +2800,7 @@ static struct vimoption options[] =
+ {(char_u *)0L, (char_u *)0L}
+ #endif
+ SCTX_INIT},
+- {"titlestring", NULL, P_STRING|P_VI_DEF,
++ {"titlestring", NULL, P_STRING|P_VI_DEF|P_MLE,
+ #ifdef FEAT_TITLE
+ (char_u *)&p_titlestring, PV_NONE,
+ #else
+@@ -4542,6 +4546,11 @@ do_set(
+ errmsg = _("E520: Not allowed in a modeline");
+ goto skip;
+ }
++ if ((flags & P_MLE) && !p_mle)
++ {
++ errmsg = _("E992: Not allowed in a modeline when 'modelineexpr' is off");
++ goto skip;
++ }
+ #ifdef FEAT_DIFF
+ /* In diff mode some options are overruled. This avoids that
+ * 'foldmethod' becomes "marker" instead of "diff" and that
+diff --git a/src/option.h b/src/option.h
+index 2985781..1cef928 100644
+--- a/src/option.h
++++ b/src/option.h
+@@ -640,6 +640,7 @@ EXTERN long p_mis; /* 'menuitems' */
+ #ifdef FEAT_SPELL
+ EXTERN char_u *p_msm; /* 'mkspellmem' */
+ #endif
++EXTERN long p_mle; /* 'modelineexpr' */
+ EXTERN long p_mls; /* 'modelines' */
+ EXTERN char_u *p_mouse; /* 'mouse' */
+ #ifdef FEAT_GUI
+diff --git a/src/testdir/test49.in b/src/testdir/test49.in
+index 79f13f6..a0c9e0d 100644
+--- a/src/testdir/test49.in
++++ b/src/testdir/test49.in
+@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G"s at the line ending in "test.out"
+
+ STARTTEST
+ :so small.vim
+-:se nocp nomore viminfo+=nviminfo
++:se nocp nomore viminfo+=nviminfo modelineexpr
+ :lang mess C
+ :so test49.vim
+ :" Go back to this file and append the results from register r.
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index e0f97c4..101116c 100644
+--- a/src/testdir/test_modeline.vim
++++ b/src/testdir/test_modeline.vim
+@@ -60,14 +60,17 @@ func Test_modeline_keymap()
+ set keymap= iminsert=0 imsearch=-1
+ endfunc
+
+-func s:modeline_fails(what, text)
++func s:modeline_fails(what, text, error)
++ if !exists('+' . a:what)
++ return
++ endif
+ let fname = "Xmodeline_fails_" . a:what
+ call writefile(['vim: set ' . a:text . ' :', 'nothing'], fname)
+ let modeline = &modeline
+ set modeline
+ filetype plugin on
+ syntax enable
+- call assert_fails('split ' . fname, 'E474:')
++ call assert_fails('split ' . fname, a:error)
+ call assert_equal("", &filetype)
+ call assert_equal("", &syntax)
+
+@@ -79,16 +82,90 @@ func s:modeline_fails(what, text)
+ endfunc
+
+ func Test_modeline_filetype_fails()
+- call s:modeline_fails('filetype', 'ft=evil$CMD')
++ call s:modeline_fails('filetype', 'ft=evil$CMD', 'E474:')
+ endfunc
+
+ func Test_modeline_syntax_fails()
+- call s:modeline_fails('syntax', 'syn=evil$CMD')
++ call s:modeline_fails('syntax', 'syn=evil$CMD', 'E474:')
+ endfunc
+
+ func Test_modeline_keymap_fails()
+- if !has('keymap')
+- return
+- endif
+- call s:modeline_fails('keymap', 'keymap=evil$CMD')
++ call s:modeline_fails('keymap', 'keymap=evil$CMD', 'E474:')
++endfunc
++
++func Test_modeline_fails_always()
++ call s:modeline_fails('backupdir', 'backupdir=Something()', 'E520:')
++ call s:modeline_fails('cdpath', 'cdpath=Something()', 'E520:')
++ call s:modeline_fails('charconvert', 'charconvert=Something()', 'E520:')
++ call s:modeline_fails('completefunc', 'completefunc=Something()', 'E520:')
++ call s:modeline_fails('cscopeprg', 'cscopeprg=Something()', 'E520:')
++ call s:modeline_fails('diffexpr', 'diffexpr=Something()', 'E520:')
++ call s:modeline_fails('directory', 'directory=Something()', 'E520:')
++ call s:modeline_fails('equalprg', 'equalprg=Something()', 'E520:')
++ call s:modeline_fails('errorfile', 'errorfile=Something()', 'E520:')
++ call s:modeline_fails('exrc', 'exrc=Something()', 'E520:')
++ call s:modeline_fails('formatprg', 'formatprg=Something()', 'E520:')
++ call s:modeline_fails('fsync', 'fsync=Something()', 'E520:')
++ call s:modeline_fails('grepprg', 'grepprg=Something()', 'E520:')
++ call s:modeline_fails('helpfile', 'helpfile=Something()', 'E520:')
++ call s:modeline_fails('imactivatefunc', 'imactivatefunc=Something()', 'E520:')
++ call s:modeline_fails('imstatusfunc', 'imstatusfunc=Something()', 'E520:')
++ call s:modeline_fails('imstyle', 'imstyle=Something()', 'E520:')
++ call s:modeline_fails('keywordprg', 'keywordprg=Something()', 'E520:')
++ call s:modeline_fails('langmap', 'langmap=Something()', 'E520:')
++ call s:modeline_fails('luadll', 'luadll=Something()', 'E520:')
++ call s:modeline_fails('makeef', 'makeef=Something()', 'E520:')
++ call s:modeline_fails('makeprg', 'makeprg=Something()', 'E520:')
++ call s:modeline_fails('makespellmem', 'makespellmem=Something()', 'E520:')
++ call s:modeline_fails('mzschemedll', 'mzschemedll=Something()', 'E520:')
++ call s:modeline_fails('mzschemegcdll', 'mzschemegcdll=Something()', 'E520:')
++ call s:modeline_fails('omnifunc', 'omnifunc=Something()', 'E520:')
++ call s:modeline_fails('operatorfunc', 'operatorfunc=Something()', 'E520:')
++ call s:modeline_fails('perldll', 'perldll=Something()', 'E520:')
++ call s:modeline_fails('printdevice', 'printdevice=Something()', 'E520:')
++ call s:modeline_fails('patchexpr', 'patchexpr=Something()', 'E520:')
++ call s:modeline_fails('printexpr', 'printexpr=Something()', 'E520:')
++ call s:modeline_fails('pythondll', 'pythondll=Something()', 'E520:')
++ call s:modeline_fails('pythonhome', 'pythondll=Something()', 'E520:')
++ call s:modeline_fails('pythonthreedll', 'pythonthreedll=Something()', 'E520:')
++ call s:modeline_fails('pythonthreehome', 'pythonthreehome=Something()', 'E520:')
++ call s:modeline_fails('pyxversion', 'pyxversion=Something()', 'E520:')
++ call s:modeline_fails('rubydll', 'rubydll=Something()', 'E520:')
++ call s:modeline_fails('runtimepath', 'runtimepath=Something()', 'E520:')
++ call s:modeline_fails('secure', 'secure=Something()', 'E520:')
++ call s:modeline_fails('shell', 'shell=Something()', 'E520:')
++ call s:modeline_fails('shellcmdflag', 'shellcmdflag=Something()', 'E520:')
++ call s:modeline_fails('shellpipe', 'shellpipe=Something()', 'E520:')
++ call s:modeline_fails('shellquote', 'shellquote=Something()', 'E520:')
++ call s:modeline_fails('shellredir', 'shellredir=Something()', 'E520:')
++ call s:modeline_fails('shellxquote', 'shellxquote=Something()', 'E520:')
++ call s:modeline_fails('spellfile', 'spellfile=Something()', 'E520:')
++ call s:modeline_fails('spellsuggest', 'spellsuggest=Something()', 'E520:')
++ call s:modeline_fails('tcldll', 'tcldll=Something()', 'E520:')
++ call s:modeline_fails('titleold', 'titleold=Something()', 'E520:')
++ call s:modeline_fails('viewdir', 'viewdir=Something()', 'E520:')
++ call s:modeline_fails('viminfo', 'viminfo=Something()', 'E520:')
++ call s:modeline_fails('viminfofile', 'viminfofile=Something()', 'E520:')
++ call s:modeline_fails('winptydll', 'winptydll=Something()', 'E520:')
++ call s:modeline_fails('undodir', 'undodir=Something()', 'E520:')
++ " only check a few terminal options
++ call s:modeline_fails('t_AB', 't_AB=Something()', 'E520:')
++ call s:modeline_fails('t_ce', 't_ce=Something()', 'E520:')
++ call s:modeline_fails('t_sr', 't_sr=Something()', 'E520:')
++ call s:modeline_fails('t_8b', 't_8b=Something()', 'E520:')
++endfunc
++
++func Test_modeline_fails_modelineexpr()
++ call s:modeline_fails('balloonexpr', 'balloonexpr=Something()', 'E992:')
++ call s:modeline_fails('foldexpr', 'foldexpr=Something()', 'E992:')
++ call s:modeline_fails('foldtext', 'foldtext=Something()', 'E992:')
++ call s:modeline_fails('formatexpr', 'formatexpr=Something()', 'E992:')
++ call s:modeline_fails('guitablabel', 'guitablabel=Something()', 'E992:')
++ call s:modeline_fails('iconstring', 'iconstring=Something()', 'E992:')
++ call s:modeline_fails('includeexpr', 'includeexpr=Something()', 'E992:')
++ call s:modeline_fails('indentexpr', 'indentexpr=Something()', 'E992:')
++ call s:modeline_fails('rulerformat', 'rulerformat=Something()', 'E992:')
++ call s:modeline_fails('statusline', 'statusline=Something()', 'E992:')
++ call s:modeline_fails('tabline', 'tabline=Something()', 'E992:')
++ call s:modeline_fails('titlestring', 'titlestring=Something()', 'E992:')
+ endfunc
+diff --git a/src/version.c b/src/version.c
+index 3040409..2cbc426 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1366,
+ /**/
+ 1365,
+ /**/
diff --git a/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch b/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
new file mode 100644
index 0000000..fd94f36
--- /dev/null
+++ b/debian/patches/patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
@@ -0,0 +1,54 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 23 May 2019 17:08:49 +0200
+Subject: patch 8.1.1367: can set 'modelineexpr' in modeline
+
+Problem: can set 'modelineexpr' in modeline.
+Solution: Add P_SECURE flag.
+
+(cherry picked from commit 7e800c6047c8a9cc3e5cbc019a4dc91ec36616b1)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ src/option.c | 2 +-
+ src/testdir/test_modeline.vim | 1 +
+ src/version.c | 2 ++
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/option.c b/src/option.c
+index e1e89d5..e3f5f5d 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1892,7 +1892,7 @@ static struct vimoption options[] =
+ {"modeline", "ml", P_BOOL|P_VIM,
+ (char_u *)&p_ml, PV_ML,
+ {(char_u *)FALSE, (char_u *)TRUE} SCTX_INIT},
+- {"modelineexpr", "mle", P_BOOL|P_VI_DEF,
++ {"modelineexpr", "mle", P_BOOL|P_VI_DEF|P_SECURE,
+ (char_u *)&p_mle, PV_NONE,
+ {(char_u *)FALSE, (char_u *)0L} SCTX_INIT},
+ {"modelines", "mls", P_NUM|P_VI_DEF,
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index 101116c..89c06ba 100644
+--- a/src/testdir/test_modeline.vim
++++ b/src/testdir/test_modeline.vim
+@@ -119,6 +119,7 @@ func Test_modeline_fails_always()
+ call s:modeline_fails('makespellmem', 'makespellmem=Something()', 'E520:')
+ call s:modeline_fails('mzschemedll', 'mzschemedll=Something()', 'E520:')
+ call s:modeline_fails('mzschemegcdll', 'mzschemegcdll=Something()', 'E520:')
++ call s:modeline_fails('modelineexpr', 'modelineexpr', 'E520:')
+ call s:modeline_fails('omnifunc', 'omnifunc=Something()', 'E520:')
+ call s:modeline_fails('operatorfunc', 'operatorfunc=Something()', 'E520:')
+ call s:modeline_fails('perldll', 'perldll=Something()', 'E520:')
+diff --git a/src/version.c b/src/version.c
+index 2cbc426..0ce8831 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1367,
+ /**/
+ 1366,
+ /**/
diff --git a/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch b/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
new file mode 100644
index 0000000..36bbbe9
--- /dev/null
+++ b/debian/patches/patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
@@ -0,0 +1,42 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 23 May 2019 17:35:55 +0200
+Subject: patch 8.1.1368: modeline test fails with python but without
+ pythonhome
+
+Problem: Modeline test fails with python but without pythonhome.
+Solution: Correct test argument.
+
+(cherry picked from commit e09244ee3567d658c293fb1ae0d47a1a8be870ac)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ src/testdir/test_modeline.vim | 2 +-
+ src/version.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index 89c06ba..7251036 100644
+--- a/src/testdir/test_modeline.vim
++++ b/src/testdir/test_modeline.vim
+@@ -127,7 +127,7 @@ func Test_modeline_fails_always()
+ call s:modeline_fails('patchexpr', 'patchexpr=Something()', 'E520:')
+ call s:modeline_fails('printexpr', 'printexpr=Something()', 'E520:')
+ call s:modeline_fails('pythondll', 'pythondll=Something()', 'E520:')
+- call s:modeline_fails('pythonhome', 'pythondll=Something()', 'E520:')
++ call s:modeline_fails('pythonhome', 'pythonhome=Something()', 'E520:')
+ call s:modeline_fails('pythonthreedll', 'pythonthreedll=Something()', 'E520:')
+ call s:modeline_fails('pythonthreehome', 'pythonthreehome=Something()', 'E520:')
+ call s:modeline_fails('pyxversion', 'pyxversion=Something()', 'E520:')
+diff --git a/src/version.c b/src/version.c
+index 0ce8831..90acd77 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1368,
+ /**/
+ 1367,
+ /**/
diff --git a/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch b/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch
new file mode 100644
index 0000000..114c2a4
--- /dev/null
+++ b/debian/patches/patch-8.1.1382-error-when-editing-test-file.patch
@@ -0,0 +1,71 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 May 2019 17:33:01 +0200
+Subject: patch 8.1.1382: error when editing test file
+
+Problem: Error when editing test file.
+Solution: Remove part of modeline.
+
+(cherry picked from commit 3020a87cb121123abf1e9a1eca0eddac241fc481)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ src/testdir/test49.in | 2 +-
+ src/testdir/test49.vim | 3 +--
+ src/testdir/test_vimscript.vim | 1 -
+ src/version.c | 2 ++
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/testdir/test49.in b/src/testdir/test49.in
+index a0c9e0d..79f13f6 100644
+--- a/src/testdir/test49.in
++++ b/src/testdir/test49.in
+@@ -5,7 +5,7 @@ test49.failed, try to add one or more "G"s at the line ending in "test.out"
+
+ STARTTEST
+ :so small.vim
+-:se nocp nomore viminfo+=nviminfo modelineexpr
++:se nocp nomore viminfo+=nviminfo
+ :lang mess C
+ :so test49.vim
+ :" Go back to this file and append the results from register r.
+diff --git a/src/testdir/test49.vim b/src/testdir/test49.vim
+index 97088f0..7393ec4 100644
+--- a/src/testdir/test49.vim
++++ b/src/testdir/test49.vim
+@@ -1,6 +1,6 @@
+ " Vim script language tests
+ " Author: Servatius Brandt <Servatius.Brandt@fujitsu-siemens.com>
+-" Last Change: 2019 Jan 13
++" Last Change: 2019 May 24
+
+ "-------------------------------------------------------------------------------
+ " Test environment {{{1
+@@ -9005,5 +9005,4 @@ Xcheck 50443995
+ "-------------------------------------------------------------------------------
+ " Modelines {{{1
+ " vim: ts=8 sw=4 tw=80 fdm=marker
+-" vim: fdt=substitute(substitute(foldtext(),\ '\\%(^+--\\)\\@<=\\(\\s*\\)\\(.\\{-}\\)\:\ \\%(\"\ \\)\\=\\(Test\ \\d*\\)\:\\s*',\ '\\3\ (\\2)\:\ \\1',\ \"\"),\ '\\(Test\\s*\\)\\(\\d\\)\\D\\@=',\ '\\1\ \\2',\ "")
+ "-------------------------------------------------------------------------------
+diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
+index 9de0a62..24379ed 100644
+--- a/src/testdir/test_vimscript.vim
++++ b/src/testdir/test_vimscript.vim
+@@ -1444,5 +1444,4 @@ endfunc
+ "-------------------------------------------------------------------------------
+ " Modelines {{{1
+ " vim: ts=8 sw=4 tw=80 fdm=marker
+-" vim: fdt=substitute(substitute(foldtext(),\ '\\%(^+--\\)\\@<=\\(\\s*\\)\\(.\\{-}\\)\:\ \\%(\"\ \\)\\=\\(Test\ \\d*\\)\:\\s*',\ '\\3\ (\\2)\:\ \\1',\ \"\"),\ '\\(Test\\s*\\)\\(\\d\\)\\D\\@=',\ '\\1\ \\2',\ "")
+ "-------------------------------------------------------------------------------
+diff --git a/src/version.c b/src/version.c
+index 90acd77..a0ca945 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1382,
+ /**/
+ 1368,
+ /**/
diff --git a/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch b/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
new file mode 100644
index 0000000..5f422ac
--- /dev/null
+++ b/debian/patches/patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
@@ -0,0 +1,69 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 26 May 2019 19:20:43 +0200
+Subject: patch 8.1.1401: misspelled mkspellmem as makespellmem
+
+Problem: Misspelled mkspellmem as makespellmem.
+Solution: Drop duplicate help entry, fix test. (Naruhiko Nishino, Ken
+ Takata, closes #4437)
+
+(cherry picked from commit 076073950c44ea0e35bc39d539dc7ab41bf9c7ec)
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/doc/options.txt | 8 ++------
+ src/testdir/test_modeline.vim | 2 +-
+ src/version.c | 2 ++
+ 3 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
+index 7b25f20..4ab87db 100644
+--- a/runtime/doc/options.txt
++++ b/runtime/doc/options.txt
+@@ -5245,12 +5245,6 @@ A jump table for the options with a short description can be found at |Q_op|.
+ < This option cannot be set from a |modeline| or in the |sandbox|, for
+ security reasons.
+
+- *'makespellmem'* *'msm'*
+-'makespellmem' 'msm' string (default "460000,2000,500")
+- global
+- Values relevant only when compressing a spell file, see |spell|.
+- This option cannot be set from a |modeline| or in the |sandbox|.
+-
+ *'matchpairs'* *'mps'*
+ 'matchpairs' 'mps' string (default "(:),{:},[:]")
+ local to buffer
+@@ -5413,6 +5407,8 @@ A jump table for the options with a short description can be found at |Q_op|.
+ < If you have less than 512 Mbyte |:mkspell| may fail for some
+ languages, no matter what you set 'mkspellmem' to.
+
++ This option cannot be set from a |modeline| or in the |sandbox|.
++
+ *'modeline'* *'ml'* *'nomodeline'* *'noml'*
+ 'modeline' 'ml' boolean (Vim default: on (off for root),
+ Debian: off, Vi default: off)
+diff --git a/src/testdir/test_modeline.vim b/src/testdir/test_modeline.vim
+index 7251036..b5513d5 100644
+--- a/src/testdir/test_modeline.vim
++++ b/src/testdir/test_modeline.vim
+@@ -116,7 +116,7 @@ func Test_modeline_fails_always()
+ call s:modeline_fails('luadll', 'luadll=Something()', 'E520:')
+ call s:modeline_fails('makeef', 'makeef=Something()', 'E520:')
+ call s:modeline_fails('makeprg', 'makeprg=Something()', 'E520:')
+- call s:modeline_fails('makespellmem', 'makespellmem=Something()', 'E520:')
++ call s:modeline_fails('mkspellmem', 'mkspellmem=Something()', 'E520:')
+ call s:modeline_fails('mzschemedll', 'mzschemedll=Something()', 'E520:')
+ call s:modeline_fails('mzschemegcdll', 'mzschemegcdll=Something()', 'E520:')
+ call s:modeline_fails('modelineexpr', 'modelineexpr', 'E520:')
+diff --git a/src/version.c b/src/version.c
+index a0ca945..1b5d863 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1401,
+ /**/
+ 1382,
+ /**/
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9a8f88a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,23 @@
+upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
+debian/Support-sourcing-a-vimrc.tiny-when-Vim-is-invoked-as-vi.patch
+debian/Detect-the-rst-filetype-using-the-contents-of-the-file.patch
+debian/Add-recognition-of-more-LaTeX-commands-for-tex-filetype-d.patch
+debian/Document-Debian-s-decision-to-disable-modelines-by-defaul.patch
+patch-8.1.0878-test-for-has-bsd-fails-on-some-BSD-systems.patch
+patch-8.1.0884-double-check-for-bsd-systems.patch
+patch-8.1.0948-when-built-without-eval-Vim-clean-produces.patch
+upstream/deb-release-names.patch
+patch-8.1.1046-the-secure-variable-is-used-inconsistently.patch
+patch-8.1.1365-source-command-doesn-t-check-for-the-sandb.patch
+patch-8.1.1366-using-expressions-in-a-modeline-is-unsafe.patch
+patch-8.1.1367-can-set-modelineexpr-in-modeline.patch
+patch-8.1.1368-modeline-test-fails-with-python-but-withou.patch
+patch-8.1.1382-error-when-editing-test-file.patch
+patch-8.1.1401-misspelled-mkspellmem-as-makespellmem.patch
+upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
+upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
+upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
+upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
+upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
+upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
+upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
diff --git a/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
new file mode 100644
index 0000000..f26c02a
--- /dev/null
+++ b/debian/patches/upstream/Support-defining-compilation-date-in-SOURCE_DATE_EPOCH.patch
@@ -0,0 +1,89 @@
+From: James McCoy <jamessan@jamessan.com>
+Date: Thu, 28 Jan 2016 10:55:11 -0500
+Subject: Support defining compilation date in $SOURCE_DATE_EPOCH
+
+There is an ongoing effort[0] to make FOSS software reproducibly
+buildable. In order to make Vim build reproducibly, it is necessary to
+allow defining the date/time that is part of VIM_VERSION_LONG as part of
+the build process.
+
+This commit enables that by adding support for the SOURCE_DATE_EPOCH
+spec[1]. When the $SOURCE_DATE_EPOCH environment variable is defined,
+it will be used to populate the BUILD_DATE preprocessor define.
+
+If BUILD_DATE is not defined, the existing behavior of relying on the
+preprocessor's __DATE__/__TIME__ symbols will be used.
+
+[0]: https://reproducible-builds.org/
+[1]: https://reproducible-builds.org/specs/source-date-epoch/
+---
+ src/config.h.in | 3 +++
+ src/configure.ac | 10 ++++++++++
+ src/version.c | 8 ++++++++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/src/config.h.in b/src/config.h.in
+index d1aaf70..78cf319 100644
+--- a/src/config.h.in
++++ b/src/config.h.in
+@@ -30,6 +30,9 @@
+ /* Define when __DATE__ " " __TIME__ can be used */
+ #undef HAVE_DATE_TIME
+
++/* Defined as the date of last modification */
++#undef BUILD_DATE
++
+ /* Define when __attribute__((unused)) can be used */
+ #undef HAVE_ATTRIBUTE_UNUSED
+
+diff --git a/src/configure.ac b/src/configure.ac
+index 2b7725b..21ca7a1 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -62,6 +62,16 @@ if test x"$ac_cv_prog_cc_c99" != xno; then
+ fi
+ fi
+
++dnl If $SOURCE_DATE_EPOCH is present in the environment, use that as the
++dnl "compiled" timestamp in :version's output. Attempt to get the formatted
++dnl date using GNU date syntax, BSD date syntax, and finally falling back to
++dnl just using the current time.
++if test -n "$SOURCE_DATE_EPOCH"; then
++ DATE_FMT="%b %d %Y %H:%M:%S"
++ BUILD_DATE=$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "+$DATE_FMT" 2>/dev/null || LC_ALL=C date -u -r "$SOURCE_DATE_EPOCH" "+$DATE_FMT" 2>/dev/null || LC_ALL=C date -u "+$DATE_FMT")
++ AC_DEFINE_UNQUOTED(BUILD_DATE, ["$BUILD_DATE"])
++fi
++
+ dnl Check for the flag that fails if stuff are missing.
+
+ AC_MSG_CHECKING(--enable-fail-if-missing argument)
+diff --git a/src/version.c b/src/version.c
+index 9b2e7c9..0b86826 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -44,9 +44,13 @@ init_longVersion(void)
+ * VAX C can't catenate strings in the preprocessor.
+ */
+ strcpy(longVersion, VIM_VERSION_LONG_DATE);
++#ifdef BUILD_DATE
++ strcat(longVersion, BUILD_DATE);
++#else
+ strcat(longVersion, __DATE__);
+ strcat(longVersion, " ");
+ strcat(longVersion, __TIME__);
++#endif
+ strcat(longVersion, ")");
+ }
+
+@@ -54,7 +58,11 @@ init_longVersion(void)
+ void
+ init_longVersion(void)
+ {
++#ifdef BUILD_DATE
++ char *date_time = BUILD_DATE;
++#else
+ char *date_time = __DATE__ " " __TIME__;
++#endif
+ char *msg = _("%s (%s, compiled %s)");
+ size_t len = strlen(msg)
+ + strlen(VIM_VERSION_LONG_ONLY)
diff --git a/debian/patches/upstream/deb-release-names.patch b/debian/patches/upstream/deb-release-names.patch
new file mode 100644
index 0000000..42b72dd
--- /dev/null
+++ b/debian/patches/upstream/deb-release-names.patch
@@ -0,0 +1,58 @@
+From: James McCoy <jamessan@debian.org>
+Date: Sun, 21 Apr 2019 23:12:18 -0400
+Subject: Add Ubuntu's eoan and Debian's buster, bullseye, bookworm releases
+
+Signed-off-by: James McCoy <jamessan@debian.org>
+---
+ runtime/syntax/debchangelog.vim | 4 ++--
+ runtime/syntax/debsources.vim | 7 ++++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/runtime/syntax/debchangelog.vim b/runtime/syntax/debchangelog.vim
+index 4ca4c29..9d6dfe9 100644
+--- a/runtime/syntax/debchangelog.vim
++++ b/runtime/syntax/debchangelog.vim
+@@ -3,7 +3,7 @@
+ " Maintainer: Debian Vim Maintainers
+ " Former Maintainers: Gerfried Fuchs <alfie@ist.org>
+ " Wichert Akkerman <wakkerma@debian.org>
+-" Last Change: 2019 Jan 26
++" Last Change: 2019 Apr 21
+ " URL: https://salsa.debian.org/vim-team/vim-debian/blob/master/syntax/debchangelog.vim
+
+ " Standard syntax initialization
+@@ -21,7 +21,7 @@ let s:binNMU='binary-only=yes'
+ syn match debchangelogName contained "^[[:alnum:]][[:alnum:].+-]\+ "
+ exe 'syn match debchangelogFirstKV contained "; \('.s:urgency.'\|'.s:binNMU.'\)"'
+ exe 'syn match debchangelogOtherKV contained ", \('.s:urgency.'\|'.s:binNMU.'\)"'
+-syn match debchangelogTarget contained "\v %(frozen|unstable|sid|%(testing|%(old)=stable)%(-proposed-updates|-security)=|experimental|squeeze-%(backports%(-sloppy)=|volatile|lts|security)|%(wheezy|jessie)%(-backports%(-sloppy)=|-security)=|stretch%(-backports|-security)=|%(devel|precise|trusty|vivid|wily|xenial|yakkety|zesty|artful|bionic|cosmic|disco)%(-%(security|proposed|updates|backports|commercial|partner))=)+"
++syn match debchangelogTarget contained "\v %(frozen|unstable|sid|%(testing|%(old)=stable)%(-proposed-updates|-security)=|experimental|%(squeeze|wheezy|jessie)-%(backports%(-sloppy)=|lts|security)|stretch%(-backports%(-sloppy)=|-security)=|buster%(-backports|-security)=|bullseye|%(devel|precise|trusty|vivid|wily|xenial|yakkety|zesty|artful|bionic|cosmic|disco|eoan)%(-%(security|proposed|updates|backports|commercial|partner))=)+"
+ syn match debchangelogVersion contained "(.\{-})"
+ syn match debchangelogCloses contained "closes:\_s*\(bug\)\=#\=\_s\=\d\+\(,\_s*\(bug\)\=#\=\_s\=\d\+\)*"
+ syn match debchangelogLP contained "\clp:\s\+#\d\+\(,\s*#\d\+\)*"
+diff --git a/runtime/syntax/debsources.vim b/runtime/syntax/debsources.vim
+index 4b21941..f90476f 100644
+--- a/runtime/syntax/debsources.vim
++++ b/runtime/syntax/debsources.vim
+@@ -2,7 +2,7 @@
+ " Language: Debian sources.list
+ " Maintainer: Debian Vim Maintainers
+ " Former Maintainer: Matthijs Mohlmann <matthijs@cacholong.nl>
+-" Last Change: 2018 Oct 30
++" Last Change: 2019 Apr 21
+ " URL: https://salsa.debian.org/vim-team/vim-debian/blob/master/syntax/debsources.vim
+
+ " Standard syntax initialization
+@@ -23,9 +23,10 @@ let s:cpo = &cpo
+ set cpo-=C
+ let s:supported = [
+ \ 'oldstable', 'stable', 'testing', 'unstable', 'experimental',
+- \ 'wheezy', 'jessie', 'stretch', 'sid', 'rc-buggy',
++ \ 'wheezy', 'jessie', 'stretch', 'buster', 'bullseye', 'bookworm',
++ \ 'sid', 'rc-buggy',
+ \
+- \ 'trusty', 'xenial', 'bionic', 'cosmic', 'disco', 'devel'
++ \ 'trusty', 'xenial', 'bionic', 'cosmic', 'disco', 'eoan', 'devel'
+ \ ]
+ let s:unsupported = [
+ \ 'buzz', 'rex', 'bo', 'hamm', 'slink', 'potato',
diff --git a/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch b/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
new file mode 100644
index 0000000..01e9ad7
--- /dev/null
+++ b/debian/patches/upstream/patch-8.1.0881-can-execute-shell-commands-in-rvim-through.patch
@@ -0,0 +1,378 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Feb 2019 14:34:10 +0100
+Subject: patch 8.1.0881: can execute shell commands in rvim through
+ interfaces
+
+Problem: Can execute shell commands in rvim through interfaces.
+Solution: Disable using interfaces in restricted mode. Allow for writing
+ file with writefile(), histadd() and a few others.
+(cherry picked from commit 8c62a08faf89663e5633dc5036cd8695c80f1075)
+---
+ runtime/doc/starting.txt | 14 ++++--
+ src/evalfunc.c | 22 +++++++--
+ src/ex_cmds.c | 2 +-
+ src/ex_docmd.c | 7 ++-
+ src/if_perl.xs | 13 ++---
+ src/testdir/Make_all.mak | 2 +
+ src/testdir/test_restricted.vim | 107 ++++++++++++++++++++++++++++++++++++++++
+ src/version.c | 2 +
+ 8 files changed, 151 insertions(+), 18 deletions(-)
+ create mode 100644 src/testdir/test_restricted.vim
+
+diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt
+index 711a487..6289e9c 100644
+--- a/runtime/doc/starting.txt
++++ b/runtime/doc/starting.txt
+@@ -248,12 +248,18 @@ a slash. Thus "-R" means recovery and "-/R" readonly.
+ changes and writing.
+ {not in Vi}
+
+- *-Z* *restricted-mode* *E145*
++ *-Z* *restricted-mode* *E145* *E981*
+ -Z Restricted mode. All commands that make use of an external
+ shell are disabled. This includes suspending with CTRL-Z,
+- ":sh", filtering, the system() function, backtick expansion,
+- delete(), rename(), mkdir(), writefile(), libcall(),
+- job_start(), etc.
++ ":sh", filtering, the system() function, backtick expansion
++ and libcall().
++ Also disallowed are delete(), rename(), mkdir(), job_start(),
++ etc.
++ Interfaces, such as Python, Ruby and Lua, are also disabled,
++ since they could be used to execute shell commands. Perl uses
++ the Safe module.
++ Note that the user may still find a loophole to execute a
++ shell command, it has only been made difficult.
+ {not in Vi}
+
+ *-g*
+diff --git a/src/evalfunc.c b/src/evalfunc.c
+index fa7ed9b..eb082b7 100644
+--- a/src/evalfunc.c
++++ b/src/evalfunc.c
+@@ -6817,7 +6817,7 @@ f_histadd(typval_T *argvars UNUSED, typval_T *rettv)
+ #endif
+
+ rettv->vval.v_number = FALSE;
+- if (check_restricted() || check_secure())
++ if (check_secure())
+ return;
+ #ifdef FEAT_CMDHIST
+ str = tv_get_string_chk(&argvars[0]); /* NULL on type error */
+@@ -7898,6 +7898,9 @@ f_luaeval(typval_T *argvars, typval_T *rettv)
+ char_u *str;
+ char_u buf[NUMBUFLEN];
+
++ if (check_restricted() || check_secure())
++ return;
++
+ str = tv_get_string_buf(&argvars[0], buf);
+ do_luaeval(str, argvars + 1, rettv);
+ }
+@@ -8644,6 +8647,8 @@ f_mzeval(typval_T *argvars, typval_T *rettv)
+ char_u *str;
+ char_u buf[NUMBUFLEN];
+
++ if (check_restricted() || check_secure())
++ return;
+ str = tv_get_string_buf(&argvars[0], buf);
+ do_mzeval(str, rettv);
+ }
+@@ -8932,6 +8937,9 @@ f_py3eval(typval_T *argvars, typval_T *rettv)
+ char_u *str;
+ char_u buf[NUMBUFLEN];
+
++ if (check_restricted() || check_secure())
++ return;
++
+ if (p_pyx == 0)
+ p_pyx = 3;
+
+@@ -8950,6 +8958,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+ char_u *str;
+ char_u buf[NUMBUFLEN];
+
++ if (check_restricted() || check_secure())
++ return;
++
+ if (p_pyx == 0)
+ p_pyx = 2;
+
+@@ -8965,6 +8976,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+ static void
+ f_pyxeval(typval_T *argvars, typval_T *rettv)
+ {
++ if (check_restricted() || check_secure())
++ return;
++
+ # if defined(FEAT_PYTHON) && defined(FEAT_PYTHON3)
+ init_pyxversion();
+ if (p_pyx == 2)
+@@ -10819,7 +10833,7 @@ f_setbufvar(typval_T *argvars, typval_T *rettv UNUSED)
+ typval_T *varp;
+ char_u nbuf[NUMBUFLEN];
+
+- if (check_restricted() || check_secure())
++ if (check_secure())
+ return;
+ (void)tv_get_number(&argvars[0]); /* issue errmsg if type error */
+ varname = tv_get_string_chk(&argvars[1]);
+@@ -11341,7 +11355,7 @@ f_settabvar(typval_T *argvars, typval_T *rettv)
+
+ rettv->vval.v_number = 0;
+
+- if (check_restricted() || check_secure())
++ if (check_secure())
+ return;
+
+ tp = find_tabpage((int)tv_get_number_chk(&argvars[0], NULL));
+@@ -14714,7 +14728,7 @@ f_writefile(typval_T *argvars, typval_T *rettv)
+ blob_T *blob = NULL;
+
+ rettv->vval.v_number = -1;
+- if (check_restricted() || check_secure())
++ if (check_secure())
+ return;
+
+ if (argvars[0].v_type == VAR_LIST)
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index a3974c1..681ef42 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -4775,7 +4775,7 @@ check_restricted(void)
+ {
+ if (restricted)
+ {
+- emsg(_("E145: Shell commands not allowed in rvim"));
++ emsg(_("E145: Shell commands and some functionality not allowed in rvim"));
+ return TRUE;
+ }
+ return FALSE;
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index b90ea7b..ccca2f9 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2007,11 +2007,16 @@ do_one_cmd(
+ #ifdef HAVE_SANDBOX
+ if (sandbox != 0 && !(ea.argt & SBOXOK))
+ {
+- /* Command not allowed in sandbox. */
++ // Command not allowed in sandbox.
+ errormsg = _(e_sandbox);
+ goto doend;
+ }
+ #endif
++ if (restricted != 0 && (ea.argt & RESTRICT))
++ {
++ errormsg = _("E981: Command not allowed in rvim");
++ goto doend;
++ }
+ if (!curbuf->b_p_ma && (ea.argt & MODIFY))
+ {
+ /* Command not allowed in non-'modifiable' buffer */
+diff --git a/src/if_perl.xs b/src/if_perl.xs
+index 203bb6a..67d0b94 100644
+--- a/src/if_perl.xs
++++ b/src/if_perl.xs
+@@ -971,6 +971,7 @@ VIM_init(void)
+ #ifdef DYNAMIC_PERL
+ static char *e_noperl = N_("Sorry, this command is disabled: the Perl library could not be loaded.");
+ #endif
++static char *e_perlsandbox = N_("E299: Perl evaluation forbidden in sandbox without the Safe module");
+
+ /*
+ * ":perl"
+@@ -1019,13 +1020,12 @@ ex_perl(exarg_T *eap)
+ vim_free(script);
+ }
+
+-#ifdef HAVE_SANDBOX
+- if (sandbox)
++ if (sandbox || secure)
+ {
+ safe = perl_get_sv("VIM::safe", FALSE);
+ # ifndef MAKE_TEST /* avoid a warning for unreachable code */
+ if (safe == NULL || !SvTRUE(safe))
+- emsg(_("E299: Perl evaluation forbidden in sandbox without the Safe module"));
++ emsg(_(e_perlsandbox));
+ else
+ # endif
+ {
+@@ -1037,7 +1037,6 @@ ex_perl(exarg_T *eap)
+ }
+ }
+ else
+-#endif
+ perl_eval_sv(sv, G_DISCARD | G_NOARGS);
+
+ SvREFCNT_dec(sv);
+@@ -1298,13 +1297,12 @@ do_perleval(char_u *str, typval_T *rettv)
+ ENTER;
+ SAVETMPS;
+
+-#ifdef HAVE_SANDBOX
+- if (sandbox)
++ if (sandbox || secure)
+ {
+ safe = get_sv("VIM::safe", FALSE);
+ # ifndef MAKE_TEST /* avoid a warning for unreachable code */
+ if (safe == NULL || !SvTRUE(safe))
+- emsg(_("E299: Perl evaluation forbidden in sandbox without the Safe module"));
++ emsg(_(e_perlsandbox));
+ else
+ # endif
+ {
+@@ -1320,7 +1318,6 @@ do_perleval(char_u *str, typval_T *rettv)
+ }
+ }
+ else
+-#endif /* HAVE_SANDBOX */
+ sv = eval_pv((char *)str, 0);
+
+ if (sv) {
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index 5857a22..2ca5f2b 100644
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -213,6 +213,7 @@ NEW_TESTS = \
+ test_regexp_utf8 \
+ test_registers \
+ test_reltime \
++ test_restricted \
+ test_retab \
+ test_ruby \
+ test_scriptnames \
+@@ -375,6 +376,7 @@ NEW_TESTS_RES = \
+ test_quotestar.res \
+ test_regex_char_classes.res \
+ test_registers.res \
++ test_restricted.res \
+ test_retab.res \
+ test_ruby.res \
+ test_scriptnames.res \
+diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim
+new file mode 100644
+index 0000000..9dd937c
+--- /dev/null
++++ b/src/testdir/test_restricted.vim
+@@ -0,0 +1,107 @@
++" Test for "rvim" or "vim -Z"
++
++source shared.vim
++
++func Test_restricted()
++ let cmd = GetVimCommand('Xrestricted')
++ if cmd == ''
++ return
++ endif
++
++ call writefile([
++ \ "silent !ls",
++ \ "call writefile([v:errmsg], 'Xrestrout')",
++ \ "qa!",
++ \ ], 'Xrestricted')
++ call system(cmd . ' -Z')
++ call assert_match('E145:', join(readfile('Xrestrout')))
++
++ call delete('Xrestricted')
++ call delete('Xrestrout')
++endfunc
++
++func Run_restricted_test(ex_cmd, error)
++ let cmd = GetVimCommand('Xrestricted')
++ if cmd == ''
++ return
++ endif
++
++ call writefile([
++ \ a:ex_cmd,
++ \ "call writefile([v:errmsg], 'Xrestrout')",
++ \ "qa!",
++ \ ], 'Xrestricted')
++ call system(cmd . ' -Z')
++ call assert_match(a:error, join(readfile('Xrestrout')))
++
++ call delete('Xrestricted')
++ call delete('Xrestrout')
++endfunc
++
++func Test_restricted_lua()
++ if !has('lua')
++ throw 'Skipped: Lua is not supported'
++ endif
++ call Run_restricted_test('lua print("Hello, Vim!")', 'E981:')
++ call Run_restricted_test('luado return "hello"', 'E981:')
++ call Run_restricted_test('luafile somefile', 'E981:')
++ call Run_restricted_test('call luaeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_mzscheme()
++ if !has('mzscheme')
++ throw 'Skipped: MzScheme is not supported'
++ endif
++ call Run_restricted_test('mzscheme statement', 'E981:')
++ call Run_restricted_test('mzfile somefile', 'E981:')
++ call Run_restricted_test('call mzeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_perl()
++ if !has('perl')
++ throw 'Skipped: Perl is not supported'
++ endif
++ " TODO: how to make Safe mode fail?
++ " call Run_restricted_test('perl system("ls")', 'E981:')
++ " call Run_restricted_test('perldo system("hello")', 'E981:')
++ " call Run_restricted_test('perlfile somefile', 'E981:')
++ " call Run_restricted_test('call perleval("system(\"ls\")")', 'E145:')
++endfunc
++
++func Test_restricted_python()
++ if !has('python')
++ throw 'Skipped: Python is not supported'
++ endif
++ call Run_restricted_test('python print "hello"', 'E981:')
++ call Run_restricted_test('pydo return "hello"', 'E981:')
++ call Run_restricted_test('pyfile somefile', 'E981:')
++ call Run_restricted_test('call pyeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_python3()
++ if !has('python3')
++ throw 'Skipped: Python3 is not supported'
++ endif
++ call Run_restricted_test('py3 print "hello"', 'E981:')
++ call Run_restricted_test('py3do return "hello"', 'E981:')
++ call Run_restricted_test('py3file somefile', 'E981:')
++ call Run_restricted_test('call py3eval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_ruby()
++ if !has('ruby')
++ throw 'Skipped: Ruby is not supported'
++ endif
++ call Run_restricted_test('ruby print "Hello"', 'E981:')
++ call Run_restricted_test('rubydo print "Hello"', 'E981:')
++ call Run_restricted_test('rubyfile somefile', 'E981:')
++endfunc
++
++func Test_restricted_tcl()
++ if !has('tcl')
++ throw 'Skipped: Tcl is not supported'
++ endif
++ call Run_restricted_test('tcl puts "Hello"', 'E981:')
++ call Run_restricted_test('tcldo puts "Hello"', 'E981:')
++ call Run_restricted_test('tclfile somefile', 'E981:')
++endfunc
+diff --git a/src/version.c b/src/version.c
+index 1b5d863..adb3441 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -809,6 +809,8 @@ static int included_patches[] =
+ 948,
+ /**/
+ 884,
++/**/
++ 881,
+ /**/
+ 878,
+ /**/
diff --git a/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch b/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
new file mode 100644
index 0000000..6f2d6eb
--- /dev/null
+++ b/debian/patches/upstream/patch-8.1.0883-missing-some-changes-for-Ex-commands.patch
@@ -0,0 +1,150 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 8 Feb 2019 16:50:26 +0100
+Subject: patch 8.1.0883: missing some changes for Ex commands
+
+Problem: Missing some changes for Ex commands.
+Solution: Add mising changes in header file.
+(cherry picked from commit 54d6fe5e60c0c488a424c078963ead40ae7dc397)
+---
+ src/ex_cmds.h | 45 +++++++++++++++++++++++----------------------
+ src/version.c | 2 ++
+ 2 files changed, 25 insertions(+), 22 deletions(-)
+
+diff --git a/src/ex_cmds.h b/src/ex_cmds.h
+index 07afb00..eed4ce2 100644
+--- a/src/ex_cmds.h
++++ b/src/ex_cmds.h
+@@ -57,6 +57,7 @@
+ * curbuf_lock is set */
+ #define MODIFY 0x200000L /* forbidden in non-'modifiable' buffer */
+ #define EXFLAGS 0x400000L /* allow flags after count in argument */
++#define RESTRICT 0x800000L /* forbidden in restricted mode */
+ #define FILES (XFILE | EXTRA) /* multiple extra files allowed */
+ #define WORD1 (EXTRA | NOSPC) /* one extra word allowed */
+ #define FILE1 (FILES | NOSPC) /* 1 file allowed, defaults to current file */
+@@ -861,13 +862,13 @@ EX(CMD_lunmap, "lunmap", ex_unmap,
+ EXTRA|TRLBAR|NOTRLCOM|USECTRLV|CMDWIN,
+ ADDR_LINES),
+ EX(CMD_lua, "lua", ex_lua,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_luado, "luado", ex_luado,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_luafile, "luafile", ex_luafile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_lvimgrep, "lvimgrep", ex_vimgrep,
+ RANGE|NOTADR|BANG|NEEDARG|EXTRA|NOTRLCOM|TRLBAR|XFILE,
+@@ -930,10 +931,10 @@ EX(CMD_mode, "mode", ex_mode,
+ WORD1|TRLBAR|CMDWIN,
+ ADDR_LINES),
+ EX(CMD_mzscheme, "mzscheme", ex_mzscheme,
+- RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK,
++ RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_mzfile, "mzfile", ex_mzfile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_next, "next", ex_next,
+ RANGE|NOTADR|BANG|FILES|EDITCMD|ARGOPT|TRLBAR,
+@@ -1116,37 +1117,37 @@ EX(CMD_pwd, "pwd", ex_pwd,
+ TRLBAR|CMDWIN,
+ ADDR_LINES),
+ EX(CMD_python, "python", ex_python,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pydo, "pydo", ex_pydo,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pyfile, "pyfile", ex_pyfile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_py3, "py3", ex_py3,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_py3do, "py3do", ex_py3do,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_python3, "python3", ex_py3,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_py3file, "py3file", ex_py3file,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pyx, "pyx", ex_pyx,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pyxdo, "pyxdo", ex_pyxdo,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pythonx, "pythonx", ex_pyx,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_pyxfile, "pyxfile", ex_pyxfile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_quit, "quit", ex_quit,
+ BANG|RANGE|COUNT|NOTADR|TRLBAR|CMDWIN,
+@@ -1203,13 +1204,13 @@ EX(CMD_runtime, "runtime", ex_runtime,
+ BANG|NEEDARG|FILES|TRLBAR|SBOXOK|CMDWIN,
+ ADDR_LINES),
+ EX(CMD_ruby, "ruby", ex_ruby,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_rubydo, "rubydo", ex_rubydo,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_rubyfile, "rubyfile", ex_rubyfile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_rundo, "rundo", ex_rundo,
+ NEEDARG|FILE1,
+@@ -1476,13 +1477,13 @@ EX(CMD_tabs, "tabs", ex_tabs,
+ TRLBAR|CMDWIN,
+ ADDR_TABS),
+ EX(CMD_tcl, "tcl", ex_tcl,
+- RANGE|EXTRA|NEEDARG|CMDWIN,
++ RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_tcldo, "tcldo", ex_tcldo,
+- RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++ RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_tclfile, "tclfile", ex_tclfile,
+- RANGE|FILE1|NEEDARG|CMDWIN,
++ RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ ADDR_LINES),
+ EX(CMD_tearoff, "tearoff", ex_tearoff,
+ NEEDARG|EXTRA|TRLBAR|NOTRLCOM|CMDWIN,
+diff --git a/src/version.c b/src/version.c
+index adb3441..6d29f39 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -809,6 +809,8 @@ static int included_patches[] =
+ 948,
+ /**/
+ 884,
++/**/
++ 883,
+ /**/
+ 881,
+ /**/
diff --git a/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch b/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
new file mode 100644
index 0000000..8d1eebc
--- /dev/null
+++ b/debian/patches/upstream/patch-8.1.0936-may-leak-memory-when-using-vartabstop.patch
@@ -0,0 +1,95 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 16 Feb 2019 19:05:11 +0100
+Subject: patch 8.1.0936: may leak memory when using 'vartabstop'
+
+Problem: May leak memory when using 'vartabstop'. (Kuang-che Wu)
+Solution: Fix handling allocated memory for 'vartabstop'. (closes #3976)
+(cherry picked from commit 55c77cf2ea9c15e1ec75d1faf702ec3c9e325271)
+---
+ src/buffer.c | 4 +---
+ src/option.c | 13 +++++++++----
+ src/version.c | 2 ++
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 2c5c282..590a63c 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -2170,9 +2170,7 @@ free_buf_options(
+ vim_free(buf->b_p_vsts_array);
+ buf->b_p_vsts_array = NULL;
+ clear_string_option(&buf->b_p_vts);
+- if (buf->b_p_vts_array)
+- vim_free(buf->b_p_vts_array);
+- buf->b_p_vts_array = NULL;
++ VIM_CLEAR(buf->b_p_vts_array);
+ #endif
+ #ifdef FEAT_KEYMAP
+ clear_string_option(&buf->b_p_keymap);
+diff --git a/src/option.c b/src/option.c
+index e3f5f5d..4d067c0 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -5611,7 +5611,9 @@ didset_options2(void)
+ (void)check_clipboard_option();
+ #endif
+ #ifdef FEAT_VARTABS
++ vim_free(curbuf->b_p_vsts_array);
+ tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++ vim_free(curbuf->b_p_vts_array);
+ tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ #endif
+ }
+@@ -7587,14 +7589,14 @@ did_set_string_option(
+ if (errmsg == NULL)
+ {
+ int *oldarray = curbuf->b_p_vts_array;
++
+ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
+ {
+- if (oldarray)
+- vim_free(oldarray);
++ vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+ if (foldmethodIsIndent(curwin))
+ foldUpdateAll(curwin);
+-#endif /* FEAT_FOLDING */
++#endif
+ }
+ else
+ errmsg = e_invarg;
+@@ -12800,10 +12802,11 @@ check_ff_value(char_u *p)
+ return check_opt_strings(p, p_ff_values, FALSE);
+ }
+
+-#ifdef FEAT_VARTABS
++#if defined(FEAT_VARTABS) || defined(PROTO)
+
+ /*
+ * Set the integer values corresponding to the string setting of 'vartabstop'.
++ * "array" will be set, caller must free it if needed.
+ */
+ int
+ tabstop_set(char_u *var, int **array)
+@@ -12846,6 +12849,8 @@ tabstop_set(char_u *var, int **array)
+ }
+
+ *array = (int *)alloc((unsigned) ((valcount + 1) * sizeof(int)));
++ if (*array == NULL)
++ return FALSE;
+ (*array)[0] = valcount;
+
+ t = 1;
+diff --git a/src/version.c b/src/version.c
+index 6d29f39..6bac28e 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -807,6 +807,8 @@ static int included_patches[] =
+ 1046,
+ /**/
+ 948,
++/**/
++ 936,
+ /**/
+ 884,
+ /**/
diff --git a/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch b/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
new file mode 100644
index 0000000..ca826e0
--- /dev/null
+++ b/debian/patches/upstream/patch-8.2.3402-invalid-memory-access-when-using-retab-wit.patch
@@ -0,0 +1,196 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 18:47:28 +0200
+Subject: patch 8.2.3402: invalid memory access when using :retab with large
+ value
+
+Problem: Invalid memory access when using :retab with large value.
+Solution: Check the number is positive.
+(cherry picked from commit b7081e135a16091c93f6f5f7525a5c58fb7ca9f9)
+---
+ src/ex_cmds.c | 2 +-
+ src/option.c | 46 +++++++++++++++++++++++++++-------------------
+ src/testdir/test_retab.vim | 3 +++
+ src/version.c | 1 +
+ 4 files changed, 32 insertions(+), 20 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 681ef42..08d71e4 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -698,7 +698,7 @@ ex_retab(exarg_T *eap)
+
+ #ifdef FEAT_VARTABS
+ new_ts_str = eap->arg;
+- if (!tabstop_set(eap->arg, &new_vts_array))
++ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ return;
+ while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ ++(eap->arg);
+diff --git a/src/option.c b/src/option.c
+index 4d067c0..3ebd443 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -5612,9 +5612,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+ vim_free(curbuf->b_p_vsts_array);
+- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ vim_free(curbuf->b_p_vts_array);
+- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
++ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ #endif
+ }
+
+@@ -7551,7 +7551,7 @@ did_set_string_option(
+ if (errmsg == NULL)
+ {
+ int *oldarray = curbuf->b_p_vsts_array;
+- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ {
+ if (oldarray)
+ vim_free(oldarray);
+@@ -7590,7 +7590,7 @@ did_set_string_option(
+ {
+ int *oldarray = curbuf->b_p_vts_array;
+
+- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ {
+ vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+@@ -11395,7 +11395,7 @@ buf_copy_options(buf_T *buf, int flags)
+ #ifdef FEAT_VARTABS
+ buf->b_p_vsts = vim_strsave(p_vsts);
+ if (p_vsts && p_vsts != empty_option)
+- tabstop_set(p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -11524,7 +11524,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -11537,7 +11537,7 @@ buf_copy_options(buf_T *buf, int flags)
+ #ifdef FEAT_VARTABS
+ buf->b_p_vts = vim_strsave(p_vts);
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -12435,7 +12435,7 @@ paste_option_changed(void)
+ if (buf->b_p_vsts_array)
+ vim_free(buf->b_p_vsts_array);
+ if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ #endif
+@@ -12807,18 +12807,19 @@ check_ff_value(char_u *p)
+ /*
+ * Set the integer values corresponding to the string setting of 'vartabstop'.
+ * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+ */
+ int
+ tabstop_set(char_u *var, int **array)
+ {
+- int valcount = 1;
+- int t;
+- char_u *cp;
++ int valcount = 1;
++ int t;
++ char_u *cp;
+
+ if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+ {
+ *array = NULL;
+- return TRUE;
++ return OK;
+ }
+
+ for (cp = var; *cp != NUL; ++cp)
+@@ -12832,8 +12833,8 @@ tabstop_set(char_u *var, int **array)
+ if (cp != end)
+ emsg(_(e_positive));
+ else
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), cp);
++ return FAIL;
+ }
+ }
+
+@@ -12844,26 +12845,33 @@ tabstop_set(char_u *var, int **array)
+ ++valcount;
+ continue;
+ }
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), var);
++ return FAIL;
+ }
+
+ *array = (int *)alloc((unsigned) ((valcount + 1) * sizeof(int)));
+ if (*array == NULL)
+- return FALSE;
++ return FAIL;
+ (*array)[0] = valcount;
+
+ t = 1;
+ for (cp = var; *cp != NUL;)
+ {
+- (*array)[t++] = atoi((char *)cp);
++ int n = atoi((char *)cp);
++
++ if (n < 0 || n > 9999)
++ {
++ semsg(_(e_invarg2), cp);
++ return FAIL;
++ }
++ (*array)[t++] = n;
+ while (*cp != NUL && *cp != ',')
+ ++cp;
+ if (*cp != NUL)
+ ++cp;
+ }
+
+- return TRUE;
++ return OK;
+ }
+
+ /*
+diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
+index f11a32b..e7b8946 100644
+--- a/src/testdir/test_retab.vim
++++ b/src/testdir/test_retab.vim
+@@ -74,4 +74,7 @@ endfunc
+ func Test_retab_error()
+ call assert_fails('retab -1', 'E487:')
+ call assert_fails('retab! -1', 'E487:')
++ call assert_fails('ret -1000', 'E487:')
++ call assert_fails('ret 10000', 'E475:')
++ call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+diff --git a/src/version.c b/src/version.c
+index 6bac28e..bd19aac 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -2580,6 +2580,7 @@ static int included_patches[] =
+ */
+ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
++ "8.2.3402",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch b/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
new file mode 100644
index 0000000..18f205c
--- /dev/null
+++ b/debian/patches/upstream/patch-8.2.3403-memory-leak-for-retab-with-invalid-argumen.patch
@@ -0,0 +1,67 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 21:20:41 +0200
+Subject: patch 8.2.3403: memory leak for :retab with invalid argument
+
+Problem: Memory leak for :retab with invalid argument.
+Solution: Free the memory. Make error messages consistent.
+(cherry picked from commit 2ddb89f8a94425cda1e5491efc80c1ccccb6e08e)
+---
+ src/ex_cmds.c | 10 ++++++++--
+ src/option.c | 3 +++
+ src/version.c | 1 +
+ 3 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 08d71e4..3200173 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -714,12 +714,18 @@ ex_retab(exarg_T *eap)
+ else
+ new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
+ #else
+- new_ts = getdigits(&(eap->arg));
+- if (new_ts < 0)
++ ptr = eap->arg;
++ new_ts = getdigits(&ptr);
++ if (new_ts < 0 && *eap->arg == '-')
+ {
+ emsg(_(e_positive));
+ return;
+ }
++ if (new_ts < 0 || new_ts > 9999)
++ {
++ semsg(_(e_invarg2), eap->arg);
++ return;
++ }
+ if (new_ts == 0)
+ new_ts = curbuf->b_p_ts;
+ #endif
+diff --git a/src/option.c b/src/option.c
+index 3ebd443..12d903f 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -12859,9 +12859,12 @@ tabstop_set(char_u *var, int **array)
+ {
+ int n = atoi((char *)cp);
+
++ // Catch negative values, overflow and ridiculous big values.
+ if (n < 0 || n > 9999)
+ {
+ semsg(_(e_invarg2), cp);
++ vim_free(*array);
++ *array = NULL;
+ return FAIL;
+ }
+ (*array)[t++] = n;
+diff --git a/src/version.c b/src/version.c
+index bd19aac..cfe1486 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -2581,6 +2581,7 @@ static int included_patches[] =
+ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
+ "8.2.3402",
++ "8.2.3403",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch b/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
new file mode 100644
index 0000000..0ad00be
--- /dev/null
+++ b/debian/patches/upstream/patch-8.2.3409-reading-beyond-end-of-line-with-invalid-ut.patch
@@ -0,0 +1,58 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 7 Sep 2021 19:26:53 +0200
+Subject: patch 8.2.3409: reading beyond end of line with invalid utf-8
+ character
+
+Problem: Reading beyond end of line with invalid utf-8 character.
+Solution: Check for NUL when advancing.
+(cherry picked from commit 65b605665997fad54ef39a93199e305af2fe4d7f)
+---
+ src/regexp_nfa.c | 3 ++-
+ src/testdir/test_regexp_utf8.vim | 10 ++++++++++
+ src/version.c | 1 +
+ 3 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
+index 031a6cf..b9562c6 100644
+--- a/src/regexp_nfa.c
++++ b/src/regexp_nfa.c
+@@ -5414,7 +5414,8 @@ find_match_text(colnr_T startcol, int regstart, char_u *match_text)
+ match = FALSE;
+ break;
+ }
+- len2 += MB_CHAR2LEN(c2);
++ len2 += enc_utf8 ? utf_ptr2len(rex.line + col + len2)
++ : MB_CHAR2LEN(c2);
+ }
+ if (match
+ /* check that no composing char follows */
+diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
+index 98b9e73..75485dc 100644
+--- a/src/testdir/test_regexp_utf8.vim
++++ b/src/testdir/test_regexp_utf8.vim
+@@ -206,3 +206,13 @@ func Test_large_class()
+ call assert_equal(1, "\u3042" =~# '[\u3000-\u4000]')
+ set re=0
+ endfunc
++
++func Test_match_invalid_byte()
++ call writefile(0z630a.765d30aa0a.2e0a.790a.4030, 'Xinvalid')
++ new
++ source Xinvalid
++ bwipe!
++ call delete('Xinvalid')
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index cfe1486..a3eca1e 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -2582,6 +2582,7 @@ static char *(extra_patches[]) =
+ { /* Add your patch description below this line */
+ "8.2.3402",
+ "8.2.3403",
++ "8.2.3409",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch b/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
new file mode 100644
index 0000000..16832ad
--- /dev/null
+++ b/debian/patches/upstream/patch-8.2.3428-using-freed-memory-when-replacing.patch
@@ -0,0 +1,78 @@
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 11 Sep 2021 21:14:20 +0200
+Subject: patch 8.2.3428: using freed memory when replacing
+
+Problem: Using freed memory when replacing. (Dhiraj Mishra)
+Solution: Get the line pointer after calling ins_copychar().
+(cherry picked from commit 35a9a00afcb20897d462a766793ff45534810dc3)
+---
+ src/normal.c | 10 +++++++---
+ src/testdir/test_edit.vim | 14 ++++++++++++++
+ src/version.c | 1 +
+ 3 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index 41af966..2c36c15 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -7056,19 +7056,23 @@ nv_replace(cmdarg_T *cap)
+ {
+ /*
+ * Get ptr again, because u_save and/or showmatch() will have
+- * released the line. At the same time we let know that the
+- * line will be changed.
++ * released the line. This may also happen in ins_copychar().
++ * At the same time we let know that the line will be changed.
+ */
+- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ {
+ int c = ins_copychar(curwin->w_cursor.lnum
+ + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (c != NUL)
+ ptr[curwin->w_cursor.col] = c;
+ }
+ else
++ {
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ ptr[curwin->w_cursor.col] = cap->nchar;
++ }
+ if (p_sm && msg_silent == 0)
+ showmatch(cap->nchar);
+ ++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 9a60d01..2e050c2 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1436,3 +1436,17 @@ func Test_leave_insert_autocmd()
+ au! InsertLeave
+ iunmap x
+ endfunc
++
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++ set encoding=latin1
++ new
++ let @" = ''
++ sil! norm orggRx
++ sil! norm pr
++ call assert_equal(['r', 'r'], getline(1, 2))
++ bwipe!
++ set encoding=utf-8
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index a3eca1e..c4a502f 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -2583,6 +2583,7 @@ static char *(extra_patches[]) =
+ "8.2.3402",
+ "8.2.3403",
+ "8.2.3409",
++ "8.2.3428",
+ /**/
+ NULL
+ };