diff -Nru vim-8.2.3995/debian/changelog vim-8.2.3995/debian/changelog
--- vim-8.2.3995/debian/changelog	2023-06-22 04:08:04.000000000 +0000
+++ vim-8.2.3995/debian/changelog	2023-08-01 05:37:49.000000000 +0000
@@ -1,3 +1,43 @@
+vim (2:8.2.3995-1ubuntu2.10) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: heap-based buffer overflow
+    - debian/patches/CVE-2022-2182.patch: When on line zero check the
+      column is valid for line one.
+    - debian/patches/CVE-2022-2264.patch: Adjust the end mark position.
+    - debian/patches/CVE-2022-2284.patch: Stop Visual mode when closing a
+      window.
+    - CVE-2022-2182
+    - CVE-2022-2264
+    - CVE-2022-2284
+  * SECURITY UPDATE: NULL pointer dereference
+    - debian/patches/CVE-2022-2208.patch: Recompute diffs later. Skip
+      window without a valid buffer.
+    - debian/patches/CVE-2022-2231.patch: Do not use the NULL pointer.
+    - CVE-2022-2208
+    - CVE-2022-2231
+  * SECURITY UPDATE: out-of-bounds write issue
+    - debian/patches/CVE-2022-2210.patch: Use zero offset when change
+      removes all lines in a diff block
+    - CVE-2022-2210
+  * SECURITY UPDATE: out-of-bounds read issue
+    - debian/patches/CVE-2022-2257.patch: Check for NUL.
+    - debian/patches/CVE-2022-2286.patch: Check the length of the string
+    - debian/patches/CVE-2022-2287.patch: Disallow adding a word with
+      control characters or a trailing slash.
+    - CVE-2022-2257
+    - CVE-2022-2286
+    - CVE-2022-2287
+  * SECURITY UPDATE: integer overflow issue
+    - debian/patches/CVE-2022-2285.patch: Put a NUL after the typeahead.
+    - CVE-2022-2285
+  * SECURITY UPDATE: use after free memory issue
+    - debian/patches/CVE-2022-2289.patch: Bail out when diff pointer is no
+      longer valid
+    - CVE-2022-2289
+  * debian/patches/skip_some_tests.patch: skip some failing test
+
+ -- Nishit Majithia <nishit.majithia@canonical.com>  Tue, 01 Aug 2023 11:07:49 +0530
+
 vim (2:8.2.3995-1ubuntu2.9) jammy-security; urgency=medium
 
   * SECURITY UPDATE: out-of-bounds read when finding an ex command by name
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2182.patch vim-8.2.3995/debian/patches/CVE-2022-2182.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2182.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2182.patch	2023-07-28 05:19:38.000000000 +0000
@@ -0,0 +1,48 @@
+From f7c7c3fad6d2135d558f3b36d0d1a943118aeb5e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 Jun 2022 19:08:38 +0100
+Subject: [PATCH] patch 8.2.5150: read past the end of the first line with
+ ":0;'{"
+
+Problem:    Read past the end of the first line with ":0;'{".
+Solution:   When on line zero check the column is valid for line one.
+---
+ src/ex_docmd.c               | 5 ++++-
+ src/testdir/test_cmdline.vim | 8 ++++++++
+ src/version.c                | 2 ++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+--- vim-8.2.3995.orig/src/ex_docmd.c
++++ vim-8.2.3995/src/ex_docmd.c
+@@ -3348,10 +3348,13 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		curwin->w_cursor.lnum = eap->line2;
+ 
+ 		// Don't leave the cursor on an illegal line or column, but do
+-		// accept zero as address, so 0;/PATTERN/ works correctly.
++		// accept zero as address, so 0;/PATTERN/ works correctly
++		// (where zero usually means to use the first line).
+ 		// Check the cursor position before returning.
+ 		if (eap->line2 > 0)
+ 		    check_cursor();
++		else
++		    check_cursor_col();
+ 		need_check_cursor = TRUE;
+ 	    }
+ 	}
+--- vim-8.2.3995.orig/src/testdir/test_cmdline.vim
++++ vim-8.2.3995/src/testdir/test_cmdline.vim
+@@ -667,6 +667,14 @@ func Test_illegal_address2()
+   call delete('Xtest.vim')
+ endfunc
+ 
++func Test_mark_from_line_zero()
++  " this was reading past the end of the first (empty) line
++  new
++  norm oxxxx
++  call assert_fails("0;'(", 'E20:')
++  bwipe!
++endfunc
++
+ func Test_cmdline_complete_wildoptions()
+   help
+   call feedkeys(":tag /\<c-a>\<c-b>\"\<cr>", 'tx')
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2208.patch vim-8.2.3995/debian/patches/CVE-2022-2208.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2208.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2208.patch	2023-07-28 05:41:08.000000000 +0000
@@ -0,0 +1,59 @@
+From cd38bb4d83c942c4bad596835c6766cbf32e5195 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 26 Jun 2022 14:04:07 +0100
+Subject: [PATCH] patch 8.2.5163: crash when deleting buffers in diff mode
+
+Problem:    Crash when deleting buffers in diff mode.
+Solution:   Recompute diffs later.  Skip window without a valid buffer.
+---
+ src/diff.c                    | 10 ++++++++--
+ src/testdir/test_diffmode.vim | 12 ++++++++++++
+ src/version.c                 |  2 ++
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/diff.c
++++ vim-8.2.3995/src/diff.c
+@@ -119,7 +119,12 @@ diff_buf_delete(buf_T *buf)
+ 	    tp->tp_diffbuf[i] = NULL;
+ 	    tp->tp_diff_invalid = TRUE;
+ 	    if (tp == curtab)
+-		diff_redraw(TRUE);
++	    {
++		// don't redraw right away, more might change or buffer state
++		// is invalid right now
++		need_diff_redraw = TRUE;
++		redraw_later(VALID);
++	    }
+ 	}
+     }
+ }
+@@ -670,7 +675,8 @@ diff_redraw(
+ 
+     need_diff_redraw = FALSE;
+     FOR_ALL_WINDOWS(wp)
+-	if (wp->w_p_diff)
++	// when closing windows or wiping buffers skip invalid window
++	if (wp->w_p_diff && buf_valid(wp->w_buffer))
+ 	{
+ 	    redraw_win_later(wp, SOME_VALID);
+ 	    if (wp != curwin)
+--- vim-8.2.3995.orig/src/testdir/test_diffmode.vim
++++ vim-8.2.3995/src/testdir/test_diffmode.vim
+@@ -1462,4 +1462,17 @@ func Test_diff_binary()
+   set diffopt&vim
+ endfunc
+ 
++" This was trying to update diffs for a buffer being closed
++func Test_diff_only()
++  silent! lfile
++  set diff
++  lopen
++  norm ␗␘␗␎o
++  silent! norm ␗␎␗o
++
++  set nodiff
++  %bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2210.patch vim-8.2.3995/debian/patches/CVE-2022-2210.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2210.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2210.patch	2023-07-28 06:06:20.000000000 +0000
@@ -0,0 +1,63 @@
+From c101abff4c6756db4f5e740fde289decb9452efa Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 26 Jun 2022 16:53:34 +0100
+Subject: [PATCH] patch 8.2.5164: invalid memory access after diff buffer
+ manipulations
+
+Problem:    Invalid memory access after diff buffer manipulations.
+Solution:   Use zero offset when change removes all lines in a diff block.
+---
+ src/diff.c                    |  4 ++--
+ src/testdir/test_diffmode.vim | 12 ++++++++++++
+ src/version.c                 |  2 ++
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/diff.c
++++ vim-8.2.3995/src/diff.c
+@@ -403,9 +403,9 @@ diff_mark_adjust_tp(
+ 		// 2. 3. 4. 5.: inserted/deleted lines touching this diff.
+ 		if (deleted > 0)
+ 		{
++		    off = 0;
+ 		    if (dp->df_lnum[idx] >= line1)
+ 		    {
+-			off = dp->df_lnum[idx] - lnum_deleted;
+ 			if (last <= line2)
+ 			{
+ 			    // 4. delete all lines of diff
+@@ -426,6 +426,7 @@ diff_mark_adjust_tp(
+ 			else
+ 			{
+ 			    // 5. delete lines at or just before top of diff
++			    off = dp->df_lnum[idx] - lnum_deleted;
+ 			    n = off;
+ 			    dp->df_count[idx] -= line2 - dp->df_lnum[idx] + 1;
+ 			    check_unchanged = TRUE;
+@@ -434,7 +435,6 @@ diff_mark_adjust_tp(
+ 		    }
+ 		    else
+ 		    {
+-			off = 0;
+ 			if (last < line2)
+ 			{
+ 			    // 2. delete at end of diff
+--- vim-8.2.3995.orig/src/testdir/test_diffmode.vim
++++ vim-8.2.3995/src/testdir/test_diffmode.vim
+@@ -1474,5 +1474,17 @@ func Test_diff_only()
+   %bwipe!
+ endfunc
+ 
++" This was causing invalid diff block values
++" FIXME: somehow this causes a valgrind error when run directly but not when
++" run as a test.
++func Test_diff_manipulations()
++  set diff
++  split 0
++  sil! norm R
doobdeuR
doobdeuR
doobdeu
++
++  set nodiff
++  %bwipe!
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2231.patch vim-8.2.3995/debian/patches/CVE-2022-2231.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2231.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2231.patch	2023-08-01 05:37:49.000000000 +0000
@@ -0,0 +1,103 @@
+From 79481367a457951aabd9501b510fd7e3eb29c3d8 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 27 Jun 2022 20:15:10 +0100
+Subject: [PATCH] patch 8.2.5169: nested :source may use NULL pointer
+
+Problem:    Nested :source may use NULL pointer.
+Solution:   Do not use the NULL pointer.
+---
+ src/eval.c                     | 44 +++++++++++++++++++---------------
+ src/testdir/test_vimscript.vim | 19 +++++++++++++++
+ src/version.c                  |  2 ++
+ 3 files changed, 46 insertions(+), 19 deletions(-)
+
+--- vim-8.2.3995.orig/src/eval.c
++++ vim-8.2.3995/src/eval.c
+@@ -2231,27 +2231,31 @@ eval0(
+ 
+     p = skipwhite(arg);
+     ret = eval1(&p, rettv, evalarg);
+-    expr_end = p;
+-    p = skipwhite(p);
+ 
+-    // In Vim9 script a command block is not split at NL characters for
+-    // commands using an expression argument.  Skip over a '#' comment to check
+-    // for a following NL.  Require white space before the '#'.
+-    if (in_vim9script() && p > expr_end)
+-	while (*p == '#')
+-	{
+-	    char_u *nl = vim_strchr(p, NL);
++    if (ret != FAIL)
++    {
++	expr_end = p;
++	p = skipwhite(p);
++        // In Vim9 script a command block is not split at NL characters for
++	// commands using an expression argument.  Skip over a '#' comment to
++	// check for a following NL.  Require white space before the '#'.
++	if (in_vim9script() && p > expr_end)
++	    while (*p == '#')
++	    {
++		char_u *nl = vim_strchr(p, NL);
+ 
+-	    if (nl == NULL)
+-		break;
+-	    p = skipwhite(nl + 1);
+-	    if (eap != NULL && *p != NUL)
+-		eap->nextcmd = p;
+-	    check_for_end = FALSE;
+-	}
++		if (nl == NULL)
++		    break;
++		p = skipwhite(nl + 1);
++		if (eap != NULL && *p != NUL)
++		    eap->nextcmd = p;
++		check_for_end = FALSE;
++	    }
++
++	if (check_for_end)
++	    end_error = !ends_excmd2(arg, p);
++    }
+ 
+-    if (ret != FAIL && check_for_end)
+-	end_error = !ends_excmd2(arg, p);
+     if (ret == FAIL || end_error)
+     {
+ 	if (ret != FAIL)
+@@ -2277,7 +2281,8 @@ eval0(
+ 	// Some of the expression may not have been consumed.  Do not check for
+ 	// a next command to avoid more errors, unless "|" is following, which
+ 	// could only be a command separator.
+-	if (eap != NULL && skipwhite(p)[0] == '|' && skipwhite(p)[1] != '|')
++	if (eap != NULL && p != NULL
++			  &&  skipwhite(p)[0] == '|' && skipwhite(p)[1] != '|')
+ 	    eap->nextcmd = check_nextcmd(p);
+ 	return FAIL;
+     }
+--- vim-8.2.3995.orig/src/testdir/test_vimscript.vim
++++ vim-8.2.3995/src/testdir/test_vimscript.vim
+@@ -7518,6 +7518,25 @@ func Test_for_over_string()
+   call assert_equal('', res)
+ endfunc
+ 
++" Test for deeply nested :source command  {{{1
++func Test_deeply_nested_source()
++  let lines =<< trim END
++
++      so
++      sil 0scr
++      delete
++      so
++      0
++  END
++  call writefile(["vim9 silent! @0 \n/"] + lines, 'Xnested.vim')
++
++  " this must not crash
++  let cmd = GetVimCommand() .. " -e -s -S Xnested.vim -c qa!"
++  call system(cmd)
++
++  call delete('Xnested.vim')
++endfunc
++
+ "-------------------------------------------------------------------------------
+ " Modelines								    {{{1
+ " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2257.patch vim-8.2.3995/debian/patches/CVE-2022-2257.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2257.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2257.patch	2023-08-01 05:37:49.000000000 +0000
@@ -0,0 +1,25 @@
+From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 29 Jun 2022 21:16:58 +0100
+Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only
+ modifier
+
+Problem:    Going past the end of a menu item with only modifier.
+Solution:   Check for NUL.
+---
+ src/message.c             |  4 ++--
+ src/testdir/test_menu.vim | 13 +++++++++++++
+ src/version.c             |  2 ++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/message.c
++++ vim-8.2.3995/src/message.c
+@@ -1806,7 +1806,7 @@ str2special(
+ 	*sp = str + len;
+     }
+     else
+-	*sp = str + 1;
++	*sp = str + (*str == NUL ? 0 : 1);
+ 
+     // Make unprintable characters in <> form, also <M-Space> and <Tab>.
+     // Use <Space> only for lhs of a mapping.
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2264.patch vim-8.2.3995/debian/patches/CVE-2022-2264.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2264.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2264.patch	2023-07-31 06:23:05.000000000 +0000
@@ -0,0 +1,45 @@
+From d25f003342aca9889067f2e839963dfeccf1fe05 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 30 Jun 2022 12:30:19 +0100
+Subject: [PATCH] patch 9.0.0011: reading beyond the end of the line with put
+ command
+
+Problem:    Reading beyond the end of the line with put command.
+Solution:   Adjust the end mark position.
+---
+ src/register.c           |  2 ++
+ src/testdir/test_put.vim | 12 ++++++++++++
+ src/version.c            |  2 ++
+ 3 files changed, 16 insertions(+)
+
+--- vim-8.2.3995.orig/src/register.c
++++ vim-8.2.3995/src/register.c
+@@ -1906,6 +1906,8 @@ do_put(
+ 		    vim_memset(ptr, ' ', (size_t)spaces);
+ 		    ptr += spaces;
+ 		}
++		else
++		    totlen -= spaces;  // didn't use these spaces
+ 	    }
+ 
+ 	    // may insert some spaces after the new text
+--- vim-8.2.3995.orig/src/testdir/test_put.vim
++++ vim-8.2.3995/src/testdir/test_put.vim
+@@ -221,5 +221,17 @@ func Test_put_visual_block_mode()
+   set ve=
+ endfunc
+ 
++" this was putting the end mark after the end of the line
++func Test_put_visual_mode()
++  edit! SomeNewBuffer
++  set selection=exclusive
++  exe "norm o\t"
++  m0
++  sil! norm 
p
p
++
++  bwipe!
++  set selection&
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2284.patch vim-8.2.3995/debian/patches/CVE-2022-2284.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2284.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2284.patch	2023-07-31 12:28:40.000000000 +0000
@@ -0,0 +1,44 @@
+From 3d51ce18ab1be4f9f6061568a4e7fabf00b21794 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 15:26:15 +0100
+Subject: [PATCH] patch 9.0.0017: accessing memory beyond the end of the line
+
+Problem:    Accessing memory beyond the end of the line.
+Solution:   Stop Visual mode when closing a window.
+---
+ src/testdir/test_visual.vim | 12 ++++++++++++
+ src/version.c               |  2 ++
+ src/window.c                |  2 ++
+ 3 files changed, 16 insertions(+)
+
+--- vim-8.2.3995.orig/src/testdir/test_visual.vim
++++ vim-8.2.3995/src/testdir/test_visual.vim
+@@ -1369,5 +1369,17 @@ func Test_visual_undo_deletes_last_line(
+   bwipe!
+ endfunc
+ 
++func Test_visual_area_adjusted_when_hiding()
++  " The Visual area ended after the end of the line after :hide
++  call setline(1, 'xxx')
++  vsplit Xfile
++  call setline(1, 'xxxxxxxx')
++  norm! $o
++  hid
++  norm! zW
++  bwipe!
++  bwipe!
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+--- vim-8.2.3995.orig/src/window.c
++++ vim-8.2.3995/src/window.c
+@@ -2562,6 +2562,8 @@ win_close(win_T *win, int free_buf)
+ 	 */
+ 	if (wp->w_buffer != curbuf)
+ 	{
++	    reset_VIsual_and_resel();	// stop Visual mode
++
+ 	    other_buffer = TRUE;
+ 	    win->w_closing = TRUE;
+ 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2285.patch vim-8.2.3995/debian/patches/CVE-2022-2285.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2285.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2285.patch	2023-07-31 12:39:12.000000000 +0000
@@ -0,0 +1,40 @@
+From 27efc62f5d86afcb2ecb7565587fe8dea4b036fe Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 16:35:45 +0100
+Subject: [PATCH] patch 9.0.0018: going over the end of the typahead
+
+Problem:    Going over the end of the typahead.
+Solution:   Put a NUL after the typeahead.
+---
+ src/term.c                   |  1 +
+ src/testdir/test_mapping.vim | 10 ++++++++++
+ src/version.c                |  2 ++
+ 3 files changed, 13 insertions(+)
+
+--- vim-8.2.3995.orig/src/term.c
++++ vim-8.2.3995/src/term.c
+@@ -5379,6 +5379,7 @@ check_termcode(
+ 	if (*tp == ESC && !p_ek && (State & INSERT))
+ 	    continue;
+ 
++	tp[len] = NUL;
+ 	key_name[0] = NUL;	// no key name found yet
+ 	key_name[1] = NUL;	// no key name found yet
+ 	modifiers = 0;		// no modifiers yet
+--- vim-8.2.3995.orig/src/testdir/test_mapping.vim
++++ vim-8.2.3995/src/testdir/test_mapping.vim
+@@ -1432,4 +1432,14 @@ func Test_abbreviate_latin1_encoding()
+   set encoding=utf-8
+ endfunc
+ 
++func Test_using_past_typeahead()
++  nnoremap :00 0
++  exe "norm :set \x80\xfb0=0\<CR>"
++  exe "sil norm :0\x0f\<C-U>\<CR>"
++
++  exe "norm :set \x80\xfb0=\<CR>"
++  nunmap :00
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2286.patch vim-8.2.3995/debian/patches/CVE-2022-2286.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2286.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2286.patch	2023-08-01 05:37:49.000000000 +0000
@@ -0,0 +1,55 @@
+From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 19:58:30 +0100
+Subject: [PATCH] patch 9.0.0020: with some completion reading past end of
+ string
+
+Problem:    With some completion reading past end of string.
+Solution:   Check the length of the string.
+---
+ src/insexpand.c                   | 14 ++++++++++++--
+ src/testdir/test_ins_complete.vim |  8 ++++++++
+ src/version.c                     |  2 ++
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/insexpand.c
++++ vim-8.2.3995/src/insexpand.c
+@@ -2142,11 +2142,21 @@ ins_compl_stop(int c, int prev_mode, int
+     // but only do this, if the Popup is still visible
+     if (c == Ctrl_E)
+     {
++	char_u *p = NULL;
++
+ 	ins_compl_delete();
+ 	if (compl_leader != NULL)
+-	    ins_bytes(compl_leader + ins_compl_len());
++	    p = compl_leader;
+ 	else if (compl_first_match != NULL)
+-	    ins_bytes(compl_orig_text + ins_compl_len());
++	    p = compl_orig_text;
++	if (p != NULL)
++	{
++	    int	    compl_len = ins_compl_len();
++	    int	    len = (int)STRLEN(p);
++
++	    if (len > compl_len)
++		ins_bytes_len(p + compl_len, len - compl_len);
++	}
+ 	retval = TRUE;
+     }
+ 
+--- vim-8.2.3995.orig/src/testdir/test_ins_complete.vim
++++ vim-8.2.3995/src/testdir/test_ins_complete.vim
+@@ -1885,4 +1885,12 @@ func Test_ins_complete_end_of_line()
+   bwipe!
+ endfunc
+ 
++func Test_complete_overrun()
++  " this was going past the end of the copied text
++  new
++  sil norm si”0s0
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2287.patch vim-8.2.3995/debian/patches/CVE-2022-2287.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2287.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2287.patch	2023-08-01 03:38:24.000000000 +0000
@@ -0,0 +1,84 @@
+From 5e59ea54c0c37c2f84770f068d95280069828774 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 1 Jul 2022 22:26:20 +0100
+Subject: [PATCH] patch 9.0.0021: invalid memory access when adding word to
+ spell word list
+
+Problem:    Invalid memory access when adding word with a control character to
+            the internal spell word list.
+Solution:   Disallow adding a word with control characters or a trailing
+            slash.
+---
+ src/spellfile.c            | 21 +++++++++++++++++++--
+ src/testdir/test_spell.vim | 15 +++++++++++++++
+ src/version.c              |  2 ++
+ 3 files changed, 36 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/spellfile.c
++++ vim-8.2.3995/src/spellfile.c
+@@ -4370,6 +4370,23 @@ wordtree_alloc(spellinfo_T *spin)
+ }
+ 
+ /*
++ * Return TRUE if "word" contains valid word characters.
++ * Control characters and trailing '/' are invalid.  Space is OK.
++ */
++    static int
++valid_spell_word(char_u *word)
++{
++    char_u *p;
++
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FALSE;
++    for (p = word; *p != NUL; p += mb_ptr2len(p))
++	if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
++	    return FALSE;
++    return TRUE;
++}
++
++/*
+  * Store a word in the tree(s).
+  * Always store it in the case-folded tree.  For a keep-case word this is
+  * useful when the word can also be used with all caps (no WF_FIXCAP flag) and
+@@ -4394,7 +4411,7 @@ store_word(
+     char_u	*p;
+ 
+     // Avoid adding illegal bytes to the word tree.
+-    if (enc_utf8 && !utf_valid_string(word, NULL))
++    if (!valid_spell_word(word))
+ 	return FAIL;
+ 
+     (void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
+@@ -6199,7 +6216,7 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
+-    if (enc_utf8 && !utf_valid_string(word, NULL))
++    if (!valid_spell_word(word))
+     {
+ 	emsg(_(e_illegal_character_in_word));
+ 	return;
+--- vim-8.2.3995.orig/src/testdir/test_spell.vim
++++ vim-8.2.3995/src/testdir/test_spell.vim
+@@ -818,6 +818,21 @@ func Test_spellsuggest_too_deep()
+   bwipe!
+ endfunc
+ 
++func Test_spell_good_word_invalid()
++  " This was adding a word with a 0x02 byte, which causes havoc.
++  enew
++  norm o0
++  sil! norm rzzWs00/
++  2
++  sil! norm VzGprzzW
++  sil! norm z=
++
++  bwipe!
++  " clear the internal word list
++  set enc=latin1
++  set enc=utf-8
++endfunc
++
+ func LoadAffAndDic(aff_contents, dic_contents)
+   set enc=latin1
+   set spellfile=
diff -Nru vim-8.2.3995/debian/patches/CVE-2022-2289.patch vim-8.2.3995/debian/patches/CVE-2022-2289.patch
--- vim-8.2.3995/debian/patches/CVE-2022-2289.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/CVE-2022-2289.patch	2023-08-01 04:15:48.000000000 +0000
@@ -0,0 +1,50 @@
+From c5274dd12224421f2430b30c53b881b9403d649e Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 2 Jul 2022 15:10:00 +0100
+Subject: [PATCH] patch 9.0.0026: accessing freed memory with diff put
+
+Problem:    Accessing freed memory with diff put.
+Solution:   Bail out when diff pointer is no longer valid.
+---
+ src/diff.c    | 24 ++++++++++++++++++++++--
+ src/version.c |  2 ++
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+--- vim-8.2.3995.orig/src/diff.c
++++ vim-8.2.3995/src/diff.c
+@@ -2639,6 +2639,20 @@ nv_diffgetput(int put, long count)
+ }
+ 
+ /*
++ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
++ */
++    static int
++valid_diff(diff_T *diff)
++{
++    diff_T	*dp;
++
++    for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
++	if (dp == diff)
++	    return TRUE;
++    return FALSE;
++}
++
++/*
+  * ":diffget"
+  * ":diffput"
+  */
+@@ -2919,7 +2933,13 @@ ex_diffgetput(exarg_T *eap)
+ #endif
+ 		vim_free(dfree);
+ 	    }
+-	    else
++
++	    // mark_adjust() may have made "dp" invalid.  We don't know where
++	    // to continue then, bail out.
++	    if (added != 0 && !valid_diff(dp))
++		break;
++
++	    if (dfree == NULL)
+ 		// mark_adjust() may have changed the count in a wrong way
+ 		dp->df_count[idx_to] = new_count;
+ 
diff -Nru vim-8.2.3995/debian/patches/series vim-8.2.3995/debian/patches/series
--- vim-8.2.3995/debian/patches/series	2023-06-22 02:31:27.000000000 +0000
+++ vim-8.2.3995/debian/patches/series	2023-08-01 05:37:49.000000000 +0000
@@ -89,3 +89,15 @@
 CVE-2022-0393.patch
 CVE-2022-0407.patch
 CVE-2022-0696.patch
+CVE-2022-2182.patch
+CVE-2022-2208.patch
+CVE-2022-2210.patch
+CVE-2022-2231.patch
+CVE-2022-2257.patch
+CVE-2022-2264.patch
+CVE-2022-2284.patch
+CVE-2022-2285.patch
+CVE-2022-2286.patch
+CVE-2022-2287.patch
+CVE-2022-2289.patch
+skip_some_tests.patch
diff -Nru vim-8.2.3995/debian/patches/skip_some_tests.patch vim-8.2.3995/debian/patches/skip_some_tests.patch
--- vim-8.2.3995/debian/patches/skip_some_tests.patch	1970-01-01 00:00:00.000000000 +0000
+++ vim-8.2.3995/debian/patches/skip_some_tests.patch	2023-08-01 05:37:49.000000000 +0000
@@ -0,0 +1,40 @@
+Description: skip Test_no_crash_with_weird_text() test
+Author: Nishit Majithia <nishit.majithia@canonical.com>
+Origin: other
+--- vim-8.2.3995.orig/src/testdir/test_spell_utf8.vim
++++ vim-8.2.3995/src/testdir/test_spell_utf8.vim
+@@ -765,20 +765,20 @@ func Test_spellfile_value()
+   set spellfile=Xdir/Xtest.utf-8.add,Xtest_other.add
+ endfunc
+ 
+-func Test_no_crash_with_weird_text()
+-  new
+-  let lines =<< trim END
+-      r<sfile>
+-      €
+-
+-
+-      €
+-  END
+-  call setline(1, lines)
+-  exe "%norm \<C-v>ez=>\<C-v>wzG"
+-
+-  bwipe!
+-endfunc
++"func Test_no_crash_with_weird_text()
++"  new
++"  let lines =<< trim END
++"      r<sfile>
++"      €
++"
++"
++"      €
++"  END
++"  call setline(1, lines)
++"  exe "%norm \<C-v>ez=>\<C-v>wzG"
++"
++"  bwipe!
++"endfunc
+ 
+ " Invalid bytes may cause trouble when creating the word list.
+ func Test_check_for_valid_word()