summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/CVE-2022-0318.patch24
-rw-r--r--debian/patches/CVE-2022-0319.patch4
-rw-r--r--debian/patches/CVE-2022-0351.patch4
-rw-r--r--debian/patches/CVE-2022-0359.patch14
-rw-r--r--debian/patches/CVE-2022-0361.patch8
-rw-r--r--debian/patches/CVE-2022-0368.patch4
-rw-r--r--debian/patches/CVE-2022-0392.patch26
-rw-r--r--debian/patches/CVE-2022-0408.patch4
-rw-r--r--debian/patches/CVE-2022-0413.patch4
-rw-r--r--debian/patches/CVE-2022-0417.patch6
-rw-r--r--debian/patches/CVE-2022-0443.patch4
-rw-r--r--debian/patches/CVE-2022-0554.patch2
-rw-r--r--debian/patches/CVE-2022-0572.patch2
-rw-r--r--debian/patches/CVE-2022-0629.patch16
-rw-r--r--debian/patches/CVE-2022-0685.patch12
-rw-r--r--debian/patches/CVE-2022-0696.patch12
-rw-r--r--debian/patches/CVE-2022-0714.patch2
-rw-r--r--debian/patches/CVE-2022-0729.patch4
-rw-r--r--debian/patches/CVE-2022-0943.patch4
-rw-r--r--debian/patches/CVE-2022-1154.patch2
-rw-r--r--debian/patches/CVE-2022-1616.patch4
-rw-r--r--debian/patches/CVE-2022-1619.patch25
-rw-r--r--debian/patches/CVE-2022-1621.patch24
-rw-r--r--debian/patches/CVE-2022-1720.patch2
-rw-r--r--debian/patches/CVE-2022-1785.patch18
-rw-r--r--debian/patches/CVE-2022-1851.patch4
-rw-r--r--debian/patches/CVE-2022-1897.patch30
-rw-r--r--debian/patches/CVE-2022-1898.patch14
-rw-r--r--debian/patches/CVE-2022-1942.patch30
-rw-r--r--debian/patches/CVE-2022-2000.patch22
-rw-r--r--debian/patches/CVE-2022-2129.patch16
-rw-r--r--debian/patches/CVE-2022-2285.patch4
-rw-r--r--debian/patches/CVE-2022-2304.patch4
-rw-r--r--debian/patches/CVE-2022-2598.patch4
-rw-r--r--debian/patches/CVE-2022-2946.patch2
-rw-r--r--debian/patches/CVE-2022-3099.patch2
-rw-r--r--debian/patches/CVE-2022-3134.patch2
-rw-r--r--debian/patches/CVE-2022-3234.patch4
-rw-r--r--debian/patches/CVE-2022-3235.patch12
-rw-r--r--debian/patches/CVE-2022-3256.patch8
-rw-r--r--debian/patches/CVE-2022-3324.patch6
-rw-r--r--debian/patches/CVE-2022-3352.patch8
-rw-r--r--debian/patches/CVE-2022-3705.patch20
-rw-r--r--debian/patches/CVE-2022-4141.patch140
-rw-r--r--debian/patches/CVE-2023-0054.patch26
-rw-r--r--debian/patches/CVE-2023-1175.patch41
-rw-r--r--debian/patches/CVE-2023-2610.patch68
-rw-r--r--debian/patches/CVE_2022-1968.patch4
-rw-r--r--debian/patches/series4
49 files changed, 392 insertions, 314 deletions
diff --git a/debian/patches/CVE-2022-0318.patch b/debian/patches/CVE-2022-0318.patch
index b2005a7..efe9eca 100644
--- a/debian/patches/CVE-2022-0318.patch
+++ b/debian/patches/CVE-2022-0318.patch
@@ -20,8 +20,6 @@ Backport:
fc6ccebea668c49e9e617e0657421b6a8ed9df1e.
* Replace expr-.. by expr-.
-diff --git a/src/ops.c b/src/ops.c
-index a9968024901e..e0fa344d8ee6 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -629,24 +629,12 @@ block_insert(
@@ -32,6 +30,9 @@ index a9968024901e..e0fa344d8ee6 100644
- int off;
+ /* avoid copying part of a multi-byte character */
+ offset -= (*mb_head_off)(oldp, oldp + offset);
++
++ if (spaces < 0) // can happen when the cursor was moved
++ spaces = 0;
- /* Avoid starting halfway a multi-byte character. */
- if (b_insert)
@@ -48,17 +49,12 @@ index a9968024901e..e0fa344d8ee6 100644
- offset -= off;
- }
- }
-+ if (spaces < 0) // can happen when the cursor was moved
-+ spaces = 0;
-+
// Make sure the allocated size matches what is actually copied below.
newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
+ (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
-diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
-index b438fa1e66c6..a187aa8e085e 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
-@@ -417,6 +417,15 @@
+@@ -417,6 +417,15 @@ func Test_visual_block_append_invalid_ch
bwipe!
endfunc
@@ -74,8 +70,6 @@ index b438fa1e66c6..a187aa8e085e 100644
" CVE-2022-0361
func Test_visual_ex_copy_line()
new
-diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
-index 0210ce63c..862e73b9a 100644
--- a/src/testdir/test_utf8.vim
+++ b/src/testdir/test_utf8.vim
@@ -6,7 +6,7 @@ func Test_visual_block_insert()
@@ -87,18 +81,16 @@ index 0210ce63c..862e73b9a 100644
bwipeout!
endfunc
-diff --git a/src/version.c b/src/version.c
-index 53f1619f94d4..227eaa958e2b 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -797,6 +797,10 @@ static char *(features[]) =
- 5024,
+@@ -798,6 +798,10 @@ static int included_patches[] =
/**/
4214,
-+/**/
+ /**/
+ 4152,
+/**/
+ 4151,
- /**/
++/**/
4120,
/**/
+ 1401,
diff --git a/debian/patches/CVE-2022-0319.patch b/debian/patches/CVE-2022-0319.patch
index f8c0add..680eddc 100644
--- a/debian/patches/CVE-2022-0319.patch
+++ b/debian/patches/CVE-2022-0319.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2
src/window.c | 5 +++++
2 files changed, 15 insertions(+)
-diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
-index afeb4da..0841952 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -3,6 +3,16 @@ if !has('visual')
@@ -29,8 +27,6 @@ index afeb4da..0841952 100644
func Test_block_shift_multibyte()
" Uses double-wide character.
-diff --git a/src/window.c b/src/window.c
-index f78fcca..7c7f580 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1576,6 +1576,11 @@ win_exchange(long Prenum)
diff --git a/debian/patches/CVE-2022-0351.patch b/debian/patches/CVE-2022-0351.patch
index 59d38ae..cdce98c 100644
--- a/debian/patches/CVE-2022-0351.patch
+++ b/debian/patches/CVE-2022-0351.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/fe6fb267e6ee5c5da2f41889e4e0e0ac5bf4b8
src/testdir/test_eval_stuff.vim | 5 +++++
2 files changed, 15 insertions(+)
-diff --git a/src/eval.c b/src/eval.c
-index 3f9db7d..00c73a6 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -4159,6 +4159,7 @@ eval7(
@@ -43,8 +41,6 @@ index 3f9db7d..00c73a6 100644
return ret;
}
-diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim
-index f4b3598..6c48c48 100644
--- a/src/testdir/test_eval_stuff.vim
+++ b/src/testdir/test_eval_stuff.vim
@@ -94,3 +94,8 @@ func Test_let_errmsg()
diff --git a/debian/patches/CVE-2022-0359.patch b/debian/patches/CVE-2022-0359.patch
index e2b8ff3..6ca8edf 100644
--- a/debian/patches/CVE-2022-0359.patch
+++ b/debian/patches/CVE-2022-0359.patch
@@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6c
src/version.c | 2 ++
3 files changed, 12 insertions(+), 1 deletion(-)
-diff --git a/src/ex_getln.c b/src/ex_getln.c
-index cba082a..328450c 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -898,7 +898,7 @@ getcmdline_int(
@@ -22,8 +20,6 @@ index cba082a..328450c 100644
if (ccline.cmdbuff == NULL)
goto theend; // out of memory
ccline.cmdlen = ccline.cmdpos = 0;
-diff --git a/src/testdir/test_ex_equal.vim b/src/testdir/test_ex_equal.vim
-index 03cfc46..fa00072 100644
--- a/src/testdir/test_ex_equal.vim
+++ b/src/testdir/test_ex_equal.vim
@@ -43,3 +43,12 @@ func Test_open_command_flush_line()
@@ -39,16 +35,14 @@ index 03cfc46..fa00072 100644
+ set ts=8 noai
+ bwipe!
+endfunc
-diff --git a/src/version.c b/src/version.c
-index 0a29ebb..586e9ca 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 4214,
/**/
++ 4214,
++/**/
4120,
/**/
+ 1401,
diff --git a/debian/patches/CVE-2022-0361.patch b/debian/patches/CVE-2022-0361.patch
index d1354ed..dae21d1 100644
--- a/debian/patches/CVE-2022-0361.patch
+++ b/debian/patches/CVE-2022-0361.patch
@@ -8,11 +8,9 @@ Origin: https://github.com/vim/vim/commit/dc5490e2cbc8c16022a23b449b48c1bd0083f3
src/testdir/test_visual.vim | 11 +++++++++++
2 files changed, 13 insertions(+)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index 0b732c2..b18f58c 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
-@@ -1074,6 +1074,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n)
+@@ -1074,6 +1074,8 @@ ex_copy(linenr_T line1, linenr_T line2,
}
appended_lines_mark(n, count);
@@ -21,11 +19,9 @@ index 0b732c2..b18f58c 100644
msgmore((long)count);
}
-diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
-index 0841952..e361f97 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
-@@ -417,3 +417,14 @@ func Test_visual_block_append_invalid_char()
+@@ -417,3 +417,14 @@ func Test_visual_block_append_invalid_ch
bwipe!
endfunc
diff --git a/debian/patches/CVE-2022-0368.patch b/debian/patches/CVE-2022-0368.patch
index 23b8f91..883c57a 100644
--- a/debian/patches/CVE-2022-0368.patch
+++ b/debian/patches/CVE-2022-0368.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33b
src/undo.c | 2 ++
2 files changed, 16 insertions(+)
-diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
-index e361f97..1454877 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -428,3 +428,17 @@ func Test_visual_ex_copy_line()
@@ -30,8 +28,6 @@ index e361f97..1454877 100644
+ bwipe!
+endfunc
+
-diff --git a/src/undo.c b/src/undo.c
-index 6b6dd47..6da9c1a 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -2965,6 +2965,8 @@ u_undo_end(
diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch
index e410044..fb8d96a 100644
--- a/debian/patches/CVE-2022-0392.patch
+++ b/debian/patches/CVE-2022-0392.patch
@@ -45,11 +45,9 @@ Solution: When :normal runs out of characters in bracketed paste mode break
Backport: drop included_patches 135 due to version bump
-diff --git a/src/edit.c b/src/edit.c
-index ee3caf0dad50..2b5301100ddb 100644
--- a/src/edit.c
+++ b/src/edit.c
-@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int d
int save_paste = p_paste;
/* If the end code is too long we can't detect it, read everything. */
@@ -58,7 +56,7 @@ index ee3caf0dad50..2b5301100ddb 100644
end = NULL;
++no_mapping;
allow_keys = 0;
-@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int d
{
c = vgetc();
} while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
@@ -70,7 +68,7 @@ index ee3caf0dad50..2b5301100ddb 100644
break;
if (has_mbyte)
-@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int d
break;
case PASTE_EX:
@@ -80,11 +78,9 @@ index ee3caf0dad50..2b5301100ddb 100644
{
mch_memmove((char *)gap->ga_data + gap->ga_len,
buf, (size_t)idx);
-diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
-index c94fe7c357ed..5b8d8a0e3e2d 100644
--- a/src/testdir/test_paste.vim
+++ b/src/testdir/test_paste.vim
-@@ -84,6 +84,16 @@
+@@ -84,6 +84,16 @@ func Test_paste_cmdline()
call assert_equal("\"afoo\<CR>barb", getreg(':'))
endfunc
@@ -101,11 +97,9 @@ index c94fe7c357ed..5b8d8a0e3e2d 100644
func Test_paste_visual_mode()
new
call setline(1, 'here are some words')
-diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
-index 60152f602..89ca6e131 100644
--- a/src/testdir/test_search.vim
+++ b/src/testdir/test_search.vim
-@@ -1187,3 +1187,9 @@
+@@ -1187,3 +1187,9 @@ func Test_search_Ctrl_L_combining()
call assert_equal(bufcontent[1], @/)
call Incsearch_cleanup()
endfunc
@@ -115,16 +109,14 @@ index 60152f602..89ca6e131 100644
+ set t_PE=
+ exe "norm /\x80PS"
+endfunc
-diff --git a/src/version.c b/src/version.c
-index 6685b554f537..9dcf34928f8d 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 4218,
/**/
++ 4218,
++/**/
4214,
/**/
+ 4152,
diff --git a/debian/patches/CVE-2022-0408.patch b/debian/patches/CVE-2022-0408.patch
index dc496c3..c3b596e 100644
--- a/debian/patches/CVE-2022-0408.patch
+++ b/debian/patches/CVE-2022-0408.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f
src/testdir/test_spell.vim | 10 ++++++++++
2 files changed, 25 insertions(+), 2 deletions(-)
-diff --git a/src/spell.c b/src/spell.c
-index 05756eb..758a12e 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -4191,7 +4191,7 @@ suggest_try_change(suginfo_T *su)
@@ -64,8 +62,6 @@ index 05756eb..758a12e 100644
}
}
}
-diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
-index 6fccc0e..0a7d8d4 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -388,6 +388,16 @@ func Test_zeq_crash()
diff --git a/debian/patches/CVE-2022-0413.patch b/debian/patches/CVE-2022-0413.patch
index f3daa2e..208446b 100644
--- a/debian/patches/CVE-2022-0413.patch
+++ b/debian/patches/CVE-2022-0413.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e5
src/testdir/test_substitute.vim | 17 +++++++++++++++++
2 files changed, 32 insertions(+), 4 deletions(-)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index b18f58c..5ad8913 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4857,6 +4857,7 @@ do_sub(exarg_T *eap)
@@ -53,8 +51,6 @@ index b18f58c..5ad8913 100644
/* Restore the flag values, they can be used for ":&&". */
subflags.do_all = save_do_all;
-diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
-index d84daa7..c1e8f30 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -500,3 +500,20 @@ func Test_sub_cmd_8()
diff --git a/debian/patches/CVE-2022-0417.patch b/debian/patches/CVE-2022-0417.patch
index d5a99e0..0229c69 100644
--- a/debian/patches/CVE-2022-0417.patch
+++ b/debian/patches/CVE-2022-0417.patch
@@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f555
src/vim.h | 2 ++
3 files changed, 13 insertions(+), 7 deletions(-)
-diff --git a/src/option.c b/src/option.c
-index 12d903f..f7643eb 100644
--- a/src/option.c
+++ b/src/option.c
@@ -9371,6 +9371,11 @@ set_num_option(
@@ -60,8 +58,6 @@ index 12d903f..f7643eb 100644
#endif
}
-diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
-index 83b315d..50aae7c 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -234,6 +234,8 @@ func Test_set_errors()
@@ -73,8 +69,6 @@ index 83b315d..50aae7c 100644
call assert_fails('set textwidth=-1', 'E487:')
call assert_fails('set timeoutlen=-1', 'E487:')
call assert_fails('set updatecount=-1', 'E487:')
-diff --git a/src/vim.h b/src/vim.h
-index 7ee164a..dfc96bc 100644
--- a/src/vim.h
+++ b/src/vim.h
@@ -1988,6 +1988,8 @@ typedef int sock_T;
diff --git a/debian/patches/CVE-2022-0443.patch b/debian/patches/CVE-2022-0443.patch
index fdf2329..aad8d0e 100644
--- a/debian/patches/CVE-2022-0443.patch
+++ b/debian/patches/CVE-2022-0443.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d4
src/testdir/test_quickfix.vim | 16 ++++++++++++++++
2 files changed, 26 insertions(+), 5 deletions(-)
-diff --git a/src/buffer.c b/src/buffer.c
-index 590a63c..4cac106 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1627,6 +1627,7 @@ set_curbuf(buf_T *buf, int action)
@@ -53,8 +51,6 @@ index 590a63c..4cac106 100644
clear_string_option(&buf->b_p_vts);
VIM_CLEAR(buf->b_p_vts_array);
#endif
-diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
-index e7aa41e..8668224 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -3899,3 +3899,19 @@ func Test_viscol()
diff --git a/debian/patches/CVE-2022-0554.patch b/debian/patches/CVE-2022-0554.patch
index ac5038e..9599a1b 100644
--- a/debian/patches/CVE-2022-0554.patch
+++ b/debian/patches/CVE-2022-0554.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461
src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++
2 files changed, 47 insertions(+), 4 deletions(-)
-diff --git a/src/buffer.c b/src/buffer.c
-index 4cac106..912ace9 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1471,8 +1471,14 @@ do_buffer(
diff --git a/debian/patches/CVE-2022-0572.patch b/debian/patches/CVE-2022-0572.patch
index 0121992..ba05e16 100644
--- a/debian/patches/CVE-2022-0572.patch
+++ b/debian/patches/CVE-2022-0572.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa
src/testdir/test_retab.vim | 19 +++++++++++++++++++
2 files changed, 23 insertions(+)
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index 5ad8913..b3be24e 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -821,6 +821,10 @@ ex_retab(exarg_T *eap)
diff --git a/debian/patches/CVE-2022-0629.patch b/debian/patches/CVE-2022-0629.patch
index b3348ef..7c32714 100644
--- a/debian/patches/CVE-2022-0629.patch
+++ b/debian/patches/CVE-2022-0629.patch
@@ -12,8 +12,6 @@ Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv().
src/version.c | 2 ++
3 files changed, 11 insertions(+), 1 deletion(-)
-diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
-index 8987f3f8dfcd..27b2d73fbfc8 100644
--- a/src/testdir/test_assert.vim
+++ b/src/testdir/test_assert.vim
@@ -35,6 +35,14 @@ func Test_assert_equal()
@@ -31,11 +29,9 @@ index 8987f3f8dfcd..27b2d73fbfc8 100644
endfunc
func Test_assert_equalfile()
-diff --git a/src/testing.c b/src/testing.c
-index 448c01c1e964..48ba14d2cafd 100644
--- a/src/eval.c
+++ b/src/eval.c
-@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str)
+@@ -9558,7 +9558,7 @@ ga_concat_shorten_esc(garray_T *gap, cha
{
same_len = 1;
s = p;
@@ -44,16 +40,14 @@ index 448c01c1e964..48ba14d2cafd 100644
clen = s - p;
while (*s != NUL && c == mb_ptr2char(s))
{
-diff --git a/src/version.c b/src/version.c
-index fb1b8476e1a6..b4983661cadc 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 4397,
/**/
++ 4397,
++/**/
4218,
/**/
+ 4214,
diff --git a/debian/patches/CVE-2022-0685.patch b/debian/patches/CVE-2022-0685.patch
index 14e5210..054765b 100644
--- a/debian/patches/CVE-2022-0685.patch
+++ b/debian/patches/CVE-2022-0685.patch
@@ -10,25 +10,21 @@ Origin: https://github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f
src/version.c | 2 ++
4 files changed, 18 insertions(+), 1 deletion(-)
-diff --git a/src/charset.c b/src/charset.c
-index 1fbbaee..427686d 100644
--- a/src/charset.c
+++ b/src/charset.c
-@@ -1672,6 +1672,12 @@ vim_isupper(int c)
- return isupper(c);
+@@ -1673,6 +1673,12 @@ vim_isupper(int c)
}
-+ int
+ int
+vim_isalpha(int c)
+{
+ return vim_islower(c) || vim_isupper(c);
+}
+
- int
++ int
vim_toupper(int c)
{
-diff --git a/src/proto/charset.pro b/src/proto/charset.pro
-index bb4132f..c078ff6 100644
+ if (c <= '@')
--- a/src/proto/charset.pro
+++ b/src/proto/charset.pro
@@ -48,6 +48,7 @@ int vim_isxdigit(int c);
diff --git a/debian/patches/CVE-2022-0696.patch b/debian/patches/CVE-2022-0696.patch
index 0e1491e..95ee4cd 100644
--- a/debian/patches/CVE-2022-0696.patch
+++ b/debian/patches/CVE-2022-0696.patch
@@ -18,21 +18,17 @@ Backport: Since the old version dosn't do command line completion
correctly, those parts are dropped and we only forbid switching the tab
page.
-diff --git a/src/version.c b/src/version.c
-index c5f5c22f90ac..777476d80dce 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 4428,
/**/
++ 4428,
++/**/
4397,
/**/
-diff --git a/src/window.c b/src/window.c
-index 1f5e7096047c..b00ed977fc04 100644
+ 4218,
--- a/src/window.c
+++ b/src/window.c
@@ -3656,6 +3656,14 @@ win_new_tabpage(int after)
diff --git a/debian/patches/CVE-2022-0714.patch b/debian/patches/CVE-2022-0714.patch
index 1b86d51..459f7fd 100644
--- a/debian/patches/CVE-2022-0714.patch
+++ b/debian/patches/CVE-2022-0714.patch
@@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fd
src/edit.c | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/src/edit.c b/src/edit.c
-index eac4803..df84631 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2113,6 +2113,8 @@ change_indent(
diff --git a/debian/patches/CVE-2022-0729.patch b/debian/patches/CVE-2022-0729.patch
index 7333268..79c810a 100644
--- a/debian/patches/CVE-2022-0729.patch
+++ b/debian/patches/CVE-2022-0729.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/6456fae9ba8e72c74b2c0c499eaf09974604ff
src/testdir/test_regexp_utf8.vim | 8 ++++++++
2 files changed, 13 insertions(+)
-diff --git a/src/regexp.c b/src/regexp.c
-index 6ad928d..33414ce 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -5575,6 +5575,11 @@ regmatch(
@@ -24,8 +22,6 @@ index 6ad928d..33414ce 100644
--rex.lnum;
rex.line = reg_getline(rex.lnum);
/* Just in case regrepeat() didn't count
-diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim
-index 75485dc..378bc21 100644
--- a/src/testdir/test_regexp_utf8.vim
+++ b/src/testdir/test_regexp_utf8.vim
@@ -215,4 +215,12 @@ func Test_match_invalid_byte()
diff --git a/debian/patches/CVE-2022-0943.patch b/debian/patches/CVE-2022-0943.patch
index b4870dc..b9851cd 100644
--- a/debian/patches/CVE-2022-0943.patch
+++ b/debian/patches/CVE-2022-0943.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653
src/testdir/test_spell.vim | 17 +++++++++++++++++
2 files changed, 21 insertions(+)
-diff --git a/src/spell.c b/src/spell.c
-index 758a12e..2d36953 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3259,6 +3259,10 @@ spell_suggest(int count)
@@ -23,8 +21,6 @@ index 758a12e..2d36953 100644
}
/* Find the start of the badly spelled word. */
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
-diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
-index 0a7d8d4..50e2d54 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -126,6 +126,23 @@ func Test_spellreall()
diff --git a/debian/patches/CVE-2022-1154.patch b/debian/patches/CVE-2022-1154.patch
index 42799a0..99b4175 100644
--- a/debian/patches/CVE-2022-1154.patch
+++ b/debian/patches/CVE-2022-1154.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1
src/testdir/test_regexp_latin.vim | 14 ++++++++++++++
2 files changed, 22 insertions(+)
-diff --git a/src/regexp.c b/src/regexp.c
-index 33414ce..4345df9 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -4322,8 +4322,16 @@ regmatch(
diff --git a/debian/patches/CVE-2022-1616.patch b/debian/patches/CVE-2022-1616.patch
index 85a2ed0..512bf5e 100644
--- a/debian/patches/CVE-2022-1616.patch
+++ b/debian/patches/CVE-2022-1616.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc
src/testdir/test_cmdline.vim | 12 ++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
-diff --git a/src/ex_docmd.c b/src/ex_docmd.c
-index 1dfa95d..bb8d719 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -3116,7 +3116,7 @@ append_command(char_u *cmd)
@@ -30,8 +28,6 @@ index 1dfa95d..bb8d719 100644
else
MB_COPY_CHAR(s, d);
}
-diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
-index 02eeb6b..46f18dc 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -609,4 +609,16 @@ func Test_cmdline_overstrike()
diff --git a/debian/patches/CVE-2022-1619.patch b/debian/patches/CVE-2022-1619.patch
index 121a1b7..1015395 100644
--- a/debian/patches/CVE-2022-1619.patch
+++ b/debian/patches/CVE-2022-1619.patch
@@ -13,11 +13,9 @@ Solution: Check already being at the start of the command line.
src/version.c | 2 ++
3 files changed, 12 insertions(+), 4 deletions(-)
-diff --git a/src/ex_getln.c b/src/ex_getln.c
-index a97024b35171..7020f5143a01 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
-@@ -1635,10 +1635,13 @@
+@@ -1635,10 +1635,13 @@ getcmdline_int(
{
while (p > ccline.cmdbuff && vim_isspace(p[-1]))
--p;
@@ -35,15 +33,12 @@ index a97024b35171..7020f5143a01 100644
}
else
--p;
-diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
-index 474638fb00d6..5a849f77f755 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
-@@ -641,6 +641,19 @@
- let &lines = lines
+@@ -642,5 +642,18 @@ func Test_cmdwin_split_often()
let &columns = columns
endfunc
-+
+
+func Test_cmdline_remove_char()
+ let encoding_save = &encoding
+
@@ -56,19 +51,17 @@ index 474638fb00d6..5a849f77f755 100644
+
+ let &encoding = encoding_save
+endfunc
-
-
++
+
set cpo&
-diff --git a/src/version.c b/src/version.c
-index 201d26f06eb9..05888c722e8e 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 4899,
/**/
++ 4899,
++/**/
4428,
/**/
+ 4397,
diff --git a/debian/patches/CVE-2022-1621.patch b/debian/patches/CVE-2022-1621.patch
index 29f8532..62b4eec 100644
--- a/debian/patches/CVE-2022-1621.patch
+++ b/debian/patches/CVE-2022-1621.patch
@@ -26,11 +26,9 @@ Solution: Remove the test.
src/version.c | 2 ++
2 files changed, 2 insertions(+), 8 deletions(-)
-diff --git a/src/mbyte.c b/src/mbyte.c
-index 2b7f9991ae14..a01a05140207 100644
--- a/src/mbyte.c
+++ b/src/mbyte.c
-@@ -4047,7 +4047,7 @@ utf_find_illegal(void)
+@@ -4047,7 +4047,7 @@ theend:
convert_setup(&vimconv, NULL, NULL);
}
@@ -39,8 +37,6 @@ index 2b7f9991ae14..a01a05140207 100644
/*
* Return TRUE if string "s" is a valid utf-8 string.
* When "end" is NULL stop at the first NUL.
-diff --git a/src/spellfile.c b/src/spellfile.c
-index 22cf82da0872..f0d6d96a47f0 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4361,6 +4361,10 @@ store_word(
@@ -67,11 +63,9 @@ index 22cf82da0872..f0d6d96a47f0 100644
if (idx == 0) /* use internal wordlist */
{
if (int_wordlist == NULL)
-diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
-index 79dc3e4a4a62..17fa23555818 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
-@@ -476,16 +476,6 @@
+@@ -476,16 +476,6 @@ func RunGoodBad(good, bad, expected_word
bwipe!
endfunc
@@ -88,27 +82,25 @@ index 79dc3e4a4a62..17fa23555818 100644
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
-@@ -936,3 +926,8 @@
+@@ -936,3 +926,8 @@ let g:test_data_aff_sal = [
\"SAL Z S",
\ ]
-
+
+" Invalid bytes may cause trouble when creating the word list.
+func Test_check_for_valid_word()
+ call assert_fails("spellgood! 0\xac", 'E1280:')
+endfunc
+
-diff --git a/src/version.c b/src/version.c
-index f949dd6d7ed0..c4f5655bf6c2 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,10 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,10 @@ static int included_patches[] =
/**/
5024,
-+/**/
+ /**/
+ 4921,
+/**/
+ 4919,
- /**/
++/**/
4899,
/**/
+ 4428,
diff --git a/debian/patches/CVE-2022-1720.patch b/debian/patches/CVE-2022-1720.patch
index 80855fb..71479e0 100644
--- a/debian/patches/CVE-2022-1720.patch
+++ b/debian/patches/CVE-2022-1720.patch
@@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab9
src/normal.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
-diff --git a/src/normal.c b/src/normal.c
-index 2c36c15..ebda136 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -5777,9 +5777,17 @@ get_visual_text(
diff --git a/debian/patches/CVE-2022-1785.patch b/debian/patches/CVE-2022-1785.patch
index 1d3817f..d3789a3 100644
--- a/debian/patches/CVE-2022-1785.patch
+++ b/debian/patches/CVE-2022-1785.patch
@@ -15,11 +15,9 @@ Solution: Disallow changing window in substitute expression.
Backport: Use textlock instead of textwinlock. In this version, textwinlock
wasn't yet split out from textlock and it'll get merged back later.
-diff --git a/src/ex_cmds.c b/src/ex_cmds.c
-index 7e730becb48f..210e21fe7a5b 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
-@@ -5576,12 +5576,17 @@ ex_substitute(exarg_T *eap)
+@@ -5576,12 +5576,17 @@ do_sub(exarg_T *eap)
/* Save flags for recursion. They can change for e.g.
* :s/^/\=execute("s#^##gn") */
subflags_save = subflags;
@@ -37,7 +35,7 @@ index 7e730becb48f..210e21fe7a5b 100644
/* Don't keep flags set by a recursive call. */
subflags = subflags_save;
if (subflags.do_count)
-@@ -5670,9 +5675,15 @@ ex_substitute(exarg_T *eap)
+@@ -5670,9 +5675,15 @@ do_sub(exarg_T *eap)
mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
new_end += copy_len;
@@ -53,8 +51,6 @@ index 7e730becb48f..210e21fe7a5b 100644
sub_nsubs++;
did_sub = TRUE;
-diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
-index f3fd7ab1ce77..a1c324ed8d20 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -517,3 +517,16 @@ func Test_using_old_sub()
@@ -74,16 +70,14 @@ index f3fd7ab1ce77..a1c324ed8d20 100644
+ delfunc Repl
+endfunc
+
-diff --git a/src/version.c b/src/version.c
-index 4c63ea0771ad..782642b5d5a1 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 4977,
/**/
++ 4977,
++/**/
4921,
/**/
+ 4919,
diff --git a/debian/patches/CVE-2022-1851.patch b/debian/patches/CVE-2022-1851.patch
index 1b84df9..d129df1 100644
--- a/debian/patches/CVE-2022-1851.patch
+++ b/debian/patches/CVE-2022-1851.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9
src/testdir/test_textformat.vim | 12 ++++++++++++
2 files changed, 15 insertions(+)
-diff --git a/src/ops.c b/src/ops.c
-index 4c81922..84b5f90 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -4778,6 +4778,9 @@ op_format(
@@ -22,8 +20,6 @@ index 4c81922..84b5f90 100644
}
if (oap->is_VIsual)
-diff --git a/src/testdir/test_textformat.vim b/src/testdir/test_textformat.vim
-index 13fb50b..508e18b 100644
--- a/src/testdir/test_textformat.vim
+++ b/src/testdir/test_textformat.vim
@@ -489,3 +489,15 @@ func Test_format_list_auto()
diff --git a/debian/patches/CVE-2022-1897.patch b/debian/patches/CVE-2022-1897.patch
index 1a44481..e14fb46 100644
--- a/debian/patches/CVE-2022-1897.patch
+++ b/debian/patches/CVE-2022-1897.patch
@@ -12,15 +12,12 @@ Solution: Disallow undo when in a substitute command.
src/version.c | 2 ++
4 files changed, 51 insertions(+), 21 deletions(-)
-diff --git a/src/normal.c b/src/normal.c
-index bc3e29e1abaa..53c50dc8b368 100644
--- a/src/normal.c
+++ b/src/normal.c
-@@ -514,6 +514,22 @@ find_command(int cmdchar)
- return idx;
+@@ -515,6 +515,22 @@ find_command(int cmdchar)
}
-+/*
+ /*
+ * If currently editing a cmdline or text is locked: beep and give an error
+ * message, return TRUE.
+ */
@@ -36,10 +33,11 @@ index bc3e29e1abaa..53c50dc8b368 100644
+ return FALSE;
+}
+
- /*
++/*
* Execute a command in Normal mode.
*/
-@@ -775,14 +791,9 @@ normal_cmd(
+ void
+@@ -775,14 +791,9 @@ getcount:
goto normal_end;
}
@@ -57,7 +55,7 @@ index bc3e29e1abaa..53c50dc8b368 100644
goto normal_end;
/*
-@@ -6164,12 +6175,8 @@ nv_gotofile(cmdarg_T *cap)
+@@ -6162,12 +6173,8 @@ nv_gotofile(cmdarg_T *cap)
char_u *ptr;
linenr_T lnum = -1;
@@ -71,7 +69,7 @@ index bc3e29e1abaa..53c50dc8b368 100644
if (curbuf_locked())
{
clearop(cap->oap);
-@@ -8330,14 +8337,7 @@ nv_g_cmd(cmdarg_T *cap)
+@@ -8328,14 +8335,7 @@ nv_g_cmd(cmdarg_T *cap)
/* "gQ": improved Ex mode */
case 'Q':
@@ -87,8 +85,6 @@ index bc3e29e1abaa..53c50dc8b368 100644
do_exmode(TRUE);
break;
-diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
-index a1c324ed8d20..c8df09f4ec1e 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
@@ -530,3 +530,25 @@ func Test_sub_change_window()
@@ -117,8 +113,6 @@ index a1c324ed8d20..c8df09f4ec1e 100644
+ delfunc Repl
+endfunc
+
-diff --git a/src/undo.c b/src/undo.c
-index cac09f0f58df..81cc28e8b801 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -2278,6 +2278,12 @@ undo_time(
@@ -134,16 +128,14 @@ index cac09f0f58df..81cc28e8b801 100644
/* First make sure the current undoable change is synced. */
if (curbuf->b_u_synced == FALSE)
u_sync(TRUE);
-diff --git a/src/version.c b/src/version.c
-index 9751865c7adf..cd6c33162204 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -795,6 +795,8 @@ static char *(features[]) =
- 805,
+@@ -796,6 +796,8 @@ static int included_patches[] =
/**/
5024,
-+/**/
-+ 5023,
/**/
++ 5023,
++/**/
4977,
/**/
+ 4921,
diff --git a/debian/patches/CVE-2022-1898.patch b/debian/patches/CVE-2022-1898.patch
index c5817ba..60ca549 100644
--- a/debian/patches/CVE-2022-1898.patch
+++ b/debian/patches/CVE-2022-1898.patch
@@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc98067
src/version.c | 2 ++
3 files changed, 14 insertions(+)
-diff --git a/src/normal.c b/src/normal.c
-index ebda136..c3b6897 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -6426,6 +6426,11 @@ nv_brackets(cmdarg_T *cap)
@@ -33,8 +31,6 @@ index ebda136..c3b6897 100644
curwin->w_set_curswant = TRUE;
}
}
-diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
-index ae47a69..da4af2f 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -255,6 +255,12 @@ func Test_tagjump_etags()
@@ -50,16 +46,14 @@ index ae47a69..da4af2f 100644
endfunc
" Test for getting and modifying the tag stack
-diff --git a/src/version.c b/src/version.c
-index 586e9ca..cd174b0 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 5024,
/**/
++ 5024,
++/**/
4214,
/**/
+ 4120,
diff --git a/debian/patches/CVE-2022-1942.patch b/debian/patches/CVE-2022-1942.patch
index e2f5b9c..7b91963 100644
--- a/debian/patches/CVE-2022-1942.patch
+++ b/debian/patches/CVE-2022-1942.patch
@@ -20,8 +20,6 @@ Backport: Drop test case, because the expected E565 was only introduced in
8.2.0670 and the testcase does not otherwise fail or issue messages in
valgrind.
-diff --git a/src/buffer.c b/src/buffer.c
-index efec431c822d..e775398d0294 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2297,12 +2297,7 @@ buflist_getfile(
@@ -38,15 +36,12 @@ index efec431c822d..e775398d0294 100644
return FAIL;
/* altfpos may be changed by getfile(), get it now */
-diff --git a/src/ex_getln.c b/src/ex_getln.c
-index 9dadfbf2fabe..623bd1d4984a 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
-@@ -2589,6 +2589,21 @@ get_text_locked_msg(void)
- return e_secure;
+@@ -2590,6 +2590,21 @@ get_text_locked_msg(void)
}
-+/*
+ /*
+ * Check for text, window or buffer locked.
+ * Give an error message and return TRUE if something is locked.
+ */
@@ -61,9 +56,10 @@ index 9dadfbf2fabe..623bd1d4984a 100644
+ return curbuf_locked();
+}
+
- /*
++/*
* Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is
* and give an error message.
+ */
@@ -7188,6 +7203,10 @@ open_cmdwin(void)
int save_KeyTyped;
#endif
@@ -75,11 +71,9 @@ index 9dadfbf2fabe..623bd1d4984a 100644
/* Can't do this recursively. Can't do it when typing a password. */
if (cmdwin_type != 0
# if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
-diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro
-index 8c8bd0ebd4cd..bcc310c7dd0e 100644
--- a/src/proto/ex_getln.pro
+++ b/src/proto/ex_getln.pro
-@@ -5,6 +5,7 @@
+@@ -5,6 +5,7 @@ char_u *getcmdline_prompt(int firstc, ch
int text_locked(void);
void text_locked_msg(void);
char *get_text_locked_msg(void);
@@ -87,27 +81,23 @@ index 8c8bd0ebd4cd..bcc310c7dd0e 100644
int curbuf_locked(void);
int allbuf_locked(void);
char_u *getexline(int c, void *cookie, int indent);
-diff --git a/src/version.c b/src/version.c
-index 18a1fdb41cb6..a15bb3ed8d6a 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 5043,
/**/
++ 5043,
++/**/
805,
/**/
-diff --git a/src/window.c b/src/window.c
-index f2913d4a76ef..9b5ac97286cd 100644
+ 5024,
--- a/src/window.c
+++ b/src/window.c
@@ -4173,14 +4173,11 @@ win_goto(win_T *wp)
win_T *owp = curwin;
#endif
-
+
- if (text_locked())
+ if (text_or_buf_locked())
{
diff --git a/debian/patches/CVE-2022-2000.patch b/debian/patches/CVE-2022-2000.patch
index 7f1a1e6..e3fa6e2 100644
--- a/debian/patches/CVE-2022-2000.patch
+++ b/debian/patches/CVE-2022-2000.patch
@@ -12,11 +12,9 @@ Solution: Truncate the message.
src/version.c | 2 ++
3 files changed, 17 insertions(+), 2 deletions(-)
-diff --git a/src/ex_docmd.c b/src/ex_docmd.c
-index cfb40e8d5cfa..634a1bcef566 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
-@@ -3111,9 +3111,17 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+@@ -3111,9 +3111,17 @@ checkforcmd(
static void
append_command(char_u *cmd)
{
@@ -36,13 +34,11 @@ index cfb40e8d5cfa..634a1bcef566 100644
STRCAT(IObuff, ": ");
d = IObuff + STRLEN(IObuff);
while (*s != NUL && d - IObuff + 5 < IOSIZE)
-diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
-index 77965b3f65a3..2289c343e9f8 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
-@@ -657,3 +657,9 @@
-
-
+@@ -657,3 +657,9 @@ endfunc
+
+
set cpo&
+
+func Test_long_error_message()
@@ -50,16 +46,14 @@ index 77965b3f65a3..2289c343e9f8 100644
+ silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
+endfunc
+
-diff --git a/src/version.c b/src/version.c
-index 542028606dde..dd585c81afe9 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 5063,
/**/
++ 5063,
++/**/
5043,
/**/
+ 805,
diff --git a/debian/patches/CVE-2022-2129.patch b/debian/patches/CVE-2022-2129.patch
index 70bdd57..96e8d05 100644
--- a/debian/patches/CVE-2022-2129.patch
+++ b/debian/patches/CVE-2022-2129.patch
@@ -11,8 +11,6 @@ Solution: Disallow switching buffers in a substitute expression.
src/version.c | 2 ++
3 files changed, 19 insertions(+), 3 deletions(-)
-diff --git a/src/ex_docmd.c b/src/ex_docmd.c
-index fed9330b52e9..1185cd1550a6 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -8778,9 +8778,10 @@ do_exedit(
@@ -29,11 +27,9 @@ index fed9330b52e9..1185cd1550a6 100644
return;
n = readonlymode;
-diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
-index 46ea95513192..c056fa965692 100644
--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
-@@ -552,3 +552,16 @@
+@@ -552,3 +552,16 @@ func Test_sub_undo_change()
delfunc Repl
endfunc
@@ -50,16 +46,14 @@ index 46ea95513192..c056fa965692 100644
+ bwipe!
+endfunc
+
-diff --git a/src/version.c b/src/version.c
-index 82ac4eaf2dd9..2f397ae315f7 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 5126,
/**/
++ 5126,
++/**/
5063,
/**/
+ 5043,
diff --git a/debian/patches/CVE-2022-2285.patch b/debian/patches/CVE-2022-2285.patch
index 5105f02..db103c6 100644
--- a/debian/patches/CVE-2022-2285.patch
+++ b/debian/patches/CVE-2022-2285.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036
src/testdir/test_mapping.vim | 10 ++++++++++
2 files changed, 11 insertions(+)
-diff --git a/src/term.c b/src/term.c
-index 47d2bda..bc46ed9 100644
--- a/src/term.c
+++ b/src/term.c
@@ -4440,6 +4440,7 @@ check_termcode(
@@ -20,8 +18,6 @@ index 47d2bda..bc46ed9 100644
key_name[0] = NUL; /* no key name found yet */
key_name[1] = NUL; /* no key name found yet */
modifiers = 0; /* no modifiers yet */
-diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim
-index c454fc0..3c81bb5 100644
--- a/src/testdir/test_mapping.vim
+++ b/src/testdir/test_mapping.vim
@@ -318,3 +318,13 @@ func Test_motionforce_omap()
diff --git a/debian/patches/CVE-2022-2304.patch b/debian/patches/CVE-2022-2304.patch
index a76927d..4ba628d 100644
--- a/debian/patches/CVE-2022-2304.patch
+++ b/debian/patches/CVE-2022-2304.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e709
src/testdir/test_spell.vim | 14 ++++++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)
-diff --git a/src/spell.c b/src/spell.c
-index 2d36953..3d9e7c8 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -8505,9 +8505,10 @@ spell_dump_compl(
@@ -25,8 +23,6 @@ index 2d36953..3d9e7c8 100644
* Don't use keep-case words in the fold-case tree,
* they will appear in the keep-case tree.
* Only use the word when the region matches. */
-diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
-index 50e2d54..afbb6d8 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -260,6 +260,19 @@ func Test_zz_compound()
diff --git a/debian/patches/CVE-2022-2598.patch b/debian/patches/CVE-2022-2598.patch
index d7732d4..a4d6886 100644
--- a/debian/patches/CVE-2022-2598.patch
+++ b/debian/patches/CVE-2022-2598.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf0554
src/testdir/test_diffmode.vim | 15 +++++++++++++++
2 files changed, 21 insertions(+), 3 deletions(-)
-diff --git a/src/diff.c b/src/diff.c
-index d368f96..745cb87 100644
--- a/src/diff.c
+++ b/src/diff.c
@@ -451,7 +451,10 @@ diff_mark_adjust_tp(
@@ -35,8 +33,6 @@ index d368f96..745cb87 100644
}
for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i)
{
-diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim
-index 84fb451..3ced8cd 100644
--- a/src/testdir/test_diffmode.vim
+++ b/src/testdir/test_diffmode.vim
@@ -913,3 +913,18 @@ func Test_diff_of_diff()
diff --git a/debian/patches/CVE-2022-2946.patch b/debian/patches/CVE-2022-2946.patch
index b3dadb9..05aa8c1 100644
--- a/debian/patches/CVE-2022-2946.patch
+++ b/debian/patches/CVE-2022-2946.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e751576
src/testdir/test_tagcase.vim | 12 ++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
-diff --git a/src/tag.c b/src/tag.c
-index b1915e1..4e96da3 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -146,6 +146,7 @@ do_tag(
diff --git a/debian/patches/CVE-2022-3099.patch b/debian/patches/CVE-2022-3099.patch
index 1dd5203..aecab0b 100644
--- a/debian/patches/CVE-2022-3099.patch
+++ b/debian/patches/CVE-2022-3099.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/35d21c6830fc2d68aca838424a0e786821c589
src/testdir/test_eval_stuff.vim | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
-diff --git a/src/ex_docmd.c b/src/ex_docmd.c
-index bb8d719..5321962 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -1109,7 +1109,7 @@ do_cmdline(
diff --git a/debian/patches/CVE-2022-3134.patch b/debian/patches/CVE-2022-3134.patch
index 16f8949..e7eaae6 100644
--- a/debian/patches/CVE-2022-3134.patch
+++ b/debian/patches/CVE-2022-3134.patch
@@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/ccfde4d028e891a41e3548323c3d47b06fb0b8
src/tag.c | 9 +++++++++
1 file changed, 9 insertions(+)
-diff --git a/src/tag.c b/src/tag.c
-index 4e96da3..6fcd6ee 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -539,6 +539,15 @@ do_tag(
diff --git a/debian/patches/CVE-2022-3234.patch b/debian/patches/CVE-2022-3234.patch
index 16207d5..28e5d63 100644
--- a/debian/patches/CVE-2022-3234.patch
+++ b/debian/patches/CVE-2022-3234.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e
src/testdir/test_virtualedit.vim | 14 ++++++++++++++
2 files changed, 24 insertions(+), 2 deletions(-)
-diff --git a/src/ops.c b/src/ops.c
-index 84b5f90..c2319b1 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c)
@@ -47,8 +45,6 @@ index 84b5f90..c2319b1 100644
{
int virtcols = oap->end.coladd;
-diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
-index 67adede..6b8fdfd 100644
--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
@@ -73,3 +73,17 @@ func Test_edit_CTRL_G()
diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch
index fc3e20e..d18b7a1 100644
--- a/debian/patches/CVE-2022-3235.patch
+++ b/debian/patches/CVE-2022-3235.patch
@@ -14,8 +14,6 @@ Solution: Make sure pointer to b_p_iminsert is still valid.
Backport: rewrote b_im_ptr handling
-diff --git a/src/ex_getln.c b/src/ex_getln.c
-index 70436b31f05e..a4fb61145c96 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -858,6 +858,7 @@ getcmdline_int(
@@ -67,7 +65,7 @@ index 70436b31f05e..a4fb61145c96 100644
{
if (b_im_ptr == &curbuf->b_p_iminsert)
set_iminsert_global();
-@@ -2476,7 +2478,8 @@ getcmdline_int(
+@@ -2476,7 +2478,8 @@ returncmd:
State = save_State;
#ifdef HAVE_INPUT_METHOD
@@ -77,11 +75,9 @@ index 70436b31f05e..a4fb61145c96 100644
im_save_status(b_im_ptr);
im_set_active(FALSE);
#endif
-diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
-index d62673aba254..fe849bcc1686 100644
--- /dev/null
+++ b/src/testdir/test_cmdwin.vim
-@@ -0,0 +0,12 @@
+@@ -0,0 +1,12 @@
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
@@ -96,7 +92,7 @@ index d62673aba254..fe849bcc1686 100644
+" vim: shiftwidth=2 sts=2 expandtab
--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
-@@ -89,6 +89,7 @@
+@@ -89,6 +89,7 @@ NEW_TESTS = \
test_clientserver \
test_close_count \
test_cmdline \
@@ -106,7 +102,7 @@ index d62673aba254..fe849bcc1686 100644
test_compiler \
--- a/src/version.c
+++ b/src/version.c
-@@ -2618,6 +2618,7 @@
+@@ -2618,6 +2618,7 @@ static char *(extra_patches[]) =
"8.2.3403",
"8.2.3409",
"8.2.3428",
diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch
index ab1abab..9cbaf88 100644
--- a/debian/patches/CVE-2022-3256.patch
+++ b/debian/patches/CVE-2022-3256.patch
@@ -11,8 +11,6 @@ Solution: Copy the mark before editing another buffer.
src/version.c | 2 ++
3 files changed, 22 insertions(+), 5 deletions(-)
-diff --git a/src/mark.c b/src/mark.c
-index ade5a1087b7d..584db033d3ca 100644
--- a/src/mark.c
+++ b/src/mark.c
@@ -252,17 +252,19 @@ movemark(int count)
@@ -40,11 +38,9 @@ index ade5a1087b7d..584db033d3ca 100644
pos = (pos_T *)-1;
}
else
-diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
-index 12501a3aba07..20fb3041f244 100644
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
-@@ -174,3 +174,16 @@ func Test_getmarklist()
+@@ -174,3 +174,16 @@ func Test_mark_error()
call assert_fails('mark xx', 'E488:')
call assert_fails('mark _', 'E191:')
endfunc
@@ -63,7 +59,7 @@ index 12501a3aba07..20fb3041f244 100644
+
--- a/src/version.c
+++ b/src/version.c
-@@ -2619,6 +2619,7 @@
+@@ -2619,6 +2619,7 @@ static char *(extra_patches[]) =
"8.2.3409",
"8.2.3428",
"9.0.0490",
diff --git a/debian/patches/CVE-2022-3324.patch b/debian/patches/CVE-2022-3324.patch
index 59b60e6..f3e50d5 100644
--- a/debian/patches/CVE-2022-3324.patch
+++ b/debian/patches/CVE-2022-3324.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bf
src/window.c | 5 ++++-
2 files changed, 26 insertions(+), 1 deletion(-)
-diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
-index 3878637..4a35201 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -620,5 +620,27 @@ func Test_report_error_with_composing()
@@ -40,8 +38,6 @@ index 3878637..4a35201 100644
+
set cpo&
-diff --git a/src/window.c b/src/window.c
-index 7c7f580..c4d97d6 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1945,6 +1945,8 @@ win_equal_rec(
@@ -53,7 +49,7 @@ index 7c7f580..c4d97d6 100644
new_size += next_curwin_size;
room -= new_size - next_curwin_size;
}
-@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
+@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_h
void
win_new_width(win_T *wp, int width)
{
diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch
index f55e40d..e5808ef 100644
--- a/debian/patches/CVE-2022-3352.patch
+++ b/debian/patches/CVE-2022-3352.patch
@@ -14,8 +14,6 @@ Solution: Disallow deleting the current buffer to avoid using freed memory.
Backport: src/buffer.c isn't vulnerable yet
-diff --git a/src/spell.c b/src/spell.c
-index 628814fe6db3..975b5a6789a9 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang)
@@ -38,11 +36,9 @@ index 628814fe6db3..975b5a6789a9 100644
}
/*
-diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
-index 86732f15dbe4..70f0f553a226 100644
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
-@@ -1416,3 +1416,14 @@
+@@ -1416,3 +1416,14 @@ func Test_Changed_FirstTime()
endfunc
" FileChangedShell tested in test_filechanged.vim
@@ -59,7 +55,7 @@ index 86732f15dbe4..70f0f553a226 100644
+
--- a/src/version.c
+++ b/src/version.c
-@@ -2620,6 +2620,7 @@
+@@ -2620,6 +2620,7 @@ static char *(extra_patches[]) =
"8.2.3428",
"9.0.0490",
"9.0.0530",
diff --git a/debian/patches/CVE-2022-3705.patch b/debian/patches/CVE-2022-3705.patch
index febdb59..531ba7c 100644
--- a/debian/patches/CVE-2022-3705.patch
+++ b/debian/patches/CVE-2022-3705.patch
@@ -9,11 +9,9 @@ Origin: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e7
src/version.c | 2 ++
3 files changed, 23 insertions(+)
-diff --git a/src/quickfix.c b/src/quickfix.c
-index 3bfa027..d6f773b 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
-@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last)
+@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T
// when the added lines are not visible.
if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline)
redraw_buf_later(buf, NOT_VALID);
@@ -23,7 +21,7 @@ index 3bfa027..d6f773b 100644
}
}
-@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf, qfline_T *old_last)
+@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf
break;
}
@@ -33,11 +31,9 @@ index 3bfa027..d6f773b 100644
if (old_last == NULL)
// Delete the empty line which is now at the end
(void)ml_delete(lnum + 1, FALSE);
-diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
-index 2e5fffa..860e417 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
-@@ -3931,3 +3931,18 @@ func Test_lopen_bwipe()
+@@ -3915,3 +3915,18 @@ func Test_lopen_bwipe()
delfunc R
endfunc
@@ -56,16 +52,14 @@ index 2e5fffa..860e417 100644
+ augroup END
+endfunc
+
-diff --git a/src/version.c b/src/version.c
-index cd174b0..28f8753 100644
--- a/src/version.c
+++ b/src/version.c
-@@ -791,6 +791,8 @@ static char *(features[]) =
-
+@@ -792,6 +792,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
-+/**/
-+ 805,
/**/
++ 805,
++/**/
5024,
/**/
+ 4214,
diff --git a/debian/patches/CVE-2022-4141.patch b/debian/patches/CVE-2022-4141.patch
new file mode 100644
index 0000000..e537b7f
--- /dev/null
+++ b/debian/patches/CVE-2022-4141.patch
@@ -0,0 +1,140 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 11 Jun 2023 13:46:58 +0200
+Subject: CVE-2022-4141
+
+Bug-Debian: https://bugs.debian.org/1027146
+Origin: https://github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5
+---
+ src/normal.c | 35 ++++++++++++++++++++++++++---------
+ src/proto/normal.pro | 1 +
+ src/testdir/test_substitute.vim | 20 ++++++++++++++++++++
+ src/window.c | 4 +++-
+ 4 files changed, 50 insertions(+), 10 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index 8f92b9c..ee2233d 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -523,13 +523,36 @@ check_text_locked(oparg_T *oap)
+ {
+ if (text_locked())
+ {
+- clearopbeep(oap);
++ if (oap != NULL)
++ clearopbeep(oap);
+ text_locked_msg();
+ return TRUE;
+ }
+ return FALSE;
+ }
+
++/*
++ * If text is locked, "curbuf_lock" or "allbuf_lock" is set:
++ * Give an error message, possibly beep and return TRUE.
++ * "oap" may be NULL.
++ */
++ int
++check_text_or_curbuf_locked(oparg_T *oap)
++{
++ if (check_text_locked(oap))
++ return TRUE;
++
++#ifdef FEAT_AUTOCMD
++ if (curbuf_locked())
++ {
++ if (oap != NULL)
++ clearop(oap);
++ return TRUE;
++ }
++#endif
++ return FALSE;
++}
++
+ /*
+ * Execute a command in Normal mode.
+ */
+@@ -791,8 +814,7 @@ getcount:
+ goto normal_end;
+ }
+
+- if ((nv_cmds[idx].cmd_flags & NV_NCW)
+- && (check_text_locked(oap) || curbuf_locked()))
++ if ((nv_cmds[idx].cmd_flags & NV_NCW) && check_text_or_curbuf_locked(oap))
+ /* this command is not allowed now */
+ goto normal_end;
+
+@@ -6173,13 +6195,8 @@ nv_gotofile(cmdarg_T *cap)
+ char_u *ptr;
+ linenr_T lnum = -1;
+
+- if (check_text_locked(cap->oap))
++ if (check_text_or_curbuf_locked(cap->oap))
+ return;
+- if (curbuf_locked())
+- {
+- clearop(cap->oap);
+- return;
+- }
+
+ ptr = grab_file_name(cap->count1, &lnum);
+
+diff --git a/src/proto/normal.pro b/src/proto/normal.pro
+index 55d12bb..cc81ff9 100644
+--- a/src/proto/normal.pro
++++ b/src/proto/normal.pro
+@@ -1,4 +1,5 @@
+ /* normal.c */
++int check_text_or_curbuf_locked(oparg_T *oap);
+ void init_normal_cmds(void);
+ void normal_cmd(oparg_T *oap, int toplevel);
+ void do_pending_operator(cmdarg_T *cap, int old_col, int gui_yank);
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 9ab0adb..d78b036 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -565,3 +565,23 @@ func Test_sub_edit_scriptfile()
+ bwipe!
+ endfunc
+
++" This was editing another file from the expression.
++func Test_sub_expr_goto_other_file()
++ call writefile([''], 'Xfileone', 'D')
++ enew!
++ call setline(1, ['a', 'b', 'c', 'd',
++ \ 'Xfileone zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'])
++
++ func g:SplitGotoFile()
++ exe "sil! norm 0\<C-W>gf"
++ return ''
++ endfunc
++
++ $
++ s/\%')/\=g:SplitGotoFile()
++
++ delfunc g:SplitGotoFile
++ bwipe!
++endfunc
++
++
+diff --git a/src/window.c b/src/window.c
+index 7f51c1b..82ece3e 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -478,6 +478,8 @@ newwindow:
+ case Ctrl_F:
+ wingotofile:
+ CHECK_CMDWIN;
++ if (check_text_or_curbuf_locked(NULL))
++ break;
+
+ ptr = grab_file_name(Prenum1, &lnum);
+ if (ptr != NULL)
+@@ -757,7 +759,7 @@ win_split(int size, int flags)
+ * When "new_wp" is NULL: split the current window in two.
+ * When "new_wp" is not NULL: insert this window at the far
+ * top/left/right/bottom.
+- * return FAIL for failure, OK otherwise
++ * Return FAIL for failure, OK otherwise.
+ */
+ int
+ win_split_ins(
diff --git a/debian/patches/CVE-2023-0054.patch b/debian/patches/CVE-2023-0054.patch
new file mode 100644
index 0000000..1bb31bb
--- /dev/null
+++ b/debian/patches/CVE-2023-0054.patch
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 11 Jun 2023 13:48:33 +0200
+Subject: CVE-2023-0054
+
+Bug-Debian: https://bugs.debian.org/1031875
+Origin: https://github.com/vim/vim/commit/3ac1d97a1d9353490493d30088256360435f7731
+---
+ src/eval.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/eval.c b/src/eval.c
+index 659f35c..f22b0ae 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -10612,6 +10612,11 @@ do_string_sub(
+ * - The text after the match.
+ */
+ sublen = vim_regsub(&regmatch, sub, expr, tail, FALSE, TRUE, FALSE);
++ if (sublen <= 0)
++ {
++ ga_clear(&ga);
++ break;
++ }
+ if (ga_grow(&ga, (int)((end - tail) + sublen -
+ (regmatch.endp[0] - regmatch.startp[0]))) == FAIL)
+ {
diff --git a/debian/patches/CVE-2023-1175.patch b/debian/patches/CVE-2023-1175.patch
new file mode 100644
index 0000000..0bc1497
--- /dev/null
+++ b/debian/patches/CVE-2023-1175.patch
@@ -0,0 +1,41 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 11 Jun 2023 13:56:10 +0200
+Subject: CVE-2023-1175
+
+Origin: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba
+---
+ src/ops.c | 2 ++
+ src/testdir/test_virtualedit.vim | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/ops.c b/src/ops.c
+index 50d5af9..45e6308 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -3119,6 +3119,8 @@ op_yank(oparg_T *oap, int deleting, int mess)
+ * double-count it. */
+ bd.startspaces = (ce - cs + 1)
+ - oap->start.coladd;
++ if (bd.startspaces < 0)
++ bd.startspaces = 0;
+ startcol++;
+ }
+ }
+diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
+index 6b8fdfd..c2a9403 100644
+--- a/src/testdir/test_virtualedit.vim
++++ b/src/testdir/test_virtualedit.vim
+@@ -87,3 +87,13 @@ func Test_virtualedit_replace_after_tab()
+ bwipe!
+ endfunc
+
++func Test_edit_special_char()
++ new
++ se ve=all
++ norm a0
++ sil! exe "norm o00000\<Nul>k<a0s"
++
++ bwipe!
++ set virtualedit=
++endfunc
++
diff --git a/debian/patches/CVE-2023-2610.patch b/debian/patches/CVE-2023-2610.patch
new file mode 100644
index 0000000..085b7b9
--- /dev/null
+++ b/debian/patches/CVE-2023-2610.patch
@@ -0,0 +1,68 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 11 Jun 2023 13:58:23 +0200
+Subject: CVE-2023-2610
+
+Bug-Debian: https://bugs.debian.org/1035955
+Origin: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a
+---
+ src/regexp.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/src/regexp.c b/src/regexp.c
+index 6939fd1..5630364 100644
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -7150,10 +7150,7 @@ do_Lower(int *d, int c)
+ regtilde(char_u *source, int magic)
+ {
+ char_u *newsub = source;
+- char_u *tmpsub;
+ char_u *p;
+- int len;
+- int prevlen;
+
+ for (p = newsub; *p; ++p)
+ {
+@@ -7162,24 +7159,34 @@ regtilde(char_u *source, int magic)
+ if (reg_prev_sub != NULL)
+ {
+ /* length = len(newsub) - 1 + len(prev_sub) + 1 */
+- prevlen = (int)STRLEN(reg_prev_sub);
+- tmpsub = alloc((unsigned)(STRLEN(newsub) + prevlen));
++ // Avoid making the text longer than MAXCOL, it will cause
++ // trouble at some point.
++ size_t prevsublen = STRLEN(reg_prev_sub);
++ size_t newsublen = STRLEN(newsub);
++ if (prevsublen > MAXCOL || newsublen > MAXCOL
++ || newsublen + prevsublen > MAXCOL)
++ {
++ break;
++ }
++
++ char_u *tmpsub = alloc(newsublen + prevsublen);
+ if (tmpsub != NULL)
+ {
+ /* copy prefix */
+- len = (int)(p - newsub); /* not including ~ */
+- mch_memmove(tmpsub, newsub, (size_t)len);
++ size_t prefixlen = p - newsub; // not including ~
++ mch_memmove(tmpsub, newsub, prefixlen);
+ /* interpret tilde */
+- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen);
++ mch_memmove(tmpsub + prefixlen, reg_prev_sub,
++ prevsublen);
+ /* copy postfix */
+ if (!magic)
+ ++p; /* back off \ */
+- STRCPY(tmpsub + len + prevlen, p + 1);
++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1);
+
+- if (newsub != source) /* already allocated newsub */
++ if (newsub != source) // allocated newsub before
+ vim_free(newsub);
+ newsub = tmpsub;
+- p = newsub + len + prevlen;
++ p = newsub + prefixlen + prevsublen;
+ }
+ }
+ else if (magic)
diff --git a/debian/patches/CVE_2022-1968.patch b/debian/patches/CVE_2022-1968.patch
index eab9980..eafcba5 100644
--- a/debian/patches/CVE_2022-1968.patch
+++ b/debian/patches/CVE_2022-1968.patch
@@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e1108
src/testdir/test_tagjump.vim | 12 ++++++++++++
2 files changed, 30 insertions(+), 3 deletions(-)
-diff --git a/src/search.c b/src/search.c
-index 4b3f853..9a17918 100644
--- a/src/search.c
+++ b/src/search.c
@@ -4852,6 +4852,21 @@ linewhite(linenr_T lnum)
@@ -61,8 +59,6 @@ index 4b3f853..9a17918 100644
}
already = NULL;
}
-diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
-index da4af2f..7605730 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -372,4 +372,16 @@ func Test_getsettagstack()
diff --git a/debian/patches/series b/debian/patches/series
index acb4b8e..56ef38a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -76,3 +76,7 @@ CVE-2022-2129.patch
CVE-2022-3235.patch
CVE-2022-3256.patch
CVE-2022-3352.patch
+CVE-2022-4141.patch
+CVE-2023-0054.patch
+CVE-2023-1175.patch
+CVE-2023-2610.patch