vim: fix CVE-2021-3875

Backport a patch to fix CVE-2021-3875.

(From OE-Core rev: de2493aac4f8ea9d8e4e59efa1359567fa186319)

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-support/vim/files/CVE-2021-3875.patch

@@ -0,0 +1,37 @@
+From 40aa9802ef56d3cdbe256b4c9e58049953051a2d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 15 Nov 2021 14:34:50 +0800
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem:    ml_get error after search with range.
+Solution:   Limit the line number to the buffer line count.
+
+CVE: CVE-2021-3875
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/ex_docmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..89d33ba90 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+ 
+ 		    // When '/' or '?' follows another address, start from
+ 		    // there.
+-		    if (lnum != MAXLNUM)
+-			curwin->w_cursor.lnum = lnum;
++		    if (lnum > 0 && lnum != MAXLNUM)
++			curwin->w_cursor.lnum =
++			        lnum > curbuf->b_ml.ml_line_count
++			                   ? curbuf->b_ml.ml_line_count : lnum;
+ 
+ 		    // Start a forward search at the end of the line (unless
+ 		    // before the first line).
+-- 
+2.17.1
+

meta/recipes-support/vim/vim.inc

@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
            file://CVE-2021-3903.patch \
            file://CVE-2021-3872.patch \
+           file://CVE-2021-3875.patch \
 "
 
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"