editors/vim: Update to 9.2.0073, multiple security fixesHEADmain

While the minor has bumped, and much has changed from 9.1 to 9.2,
we've been incrementally adopting the patches so it's not "new" to us,
per se. All the gory details are at:
  https://github.com/vim/vim/blob/master/runtime/doc/version9.txt

This commit adds patches for six security issues:

patch 9.2.0073: [security]: possible command injection using netrw
Problem:  [security]: Insufficient validation of hostname and port in
          netrw URIs allows command injection via shell metacharacters
          (ehdgks0627, un3xploitable).
Solution: Implement stricter RFC1123 hostname and IP validation.
          Use shellescape() for the provided hostname and port.

Github Advisory:
GHSA-m3xh-9434-g336

patch 9.2.0074: [security]: Crash with overlong emacs tag file
Problem:  Crash with overlong emacs tag file, because of an OOB buffer
          read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.

Github Advisory:
GHSA-h4mf-vg97-hj8j

patch 9.2.0075: [security]: Buffer underflow with emacs tag file
Problem:  When parsing a malformed Emacs-style tags file, a 1-byte
          heap-buffer-underflow read occurs if the 0x7f delimiter
          appears at the very beginning of a line. This happens
          because the code attempts to scan backward for a tag
          name from the delimiter without checking if space exists.
          (ehdgks0627, un3xploitable)
Solution: Add a check to ensure the delimiter (p_7f) is not at the
          start of the buffer (lbuf) before attempting to isolate
          the tag name.

GitHub Advisory:
GHSA-xcc8-r6c5-hvwv

patch 9.2.0076: [security]: buffer-overflow in terminal handling
Problem:  When processing terminal output with many combining characters
          from supplementary planes (4-byte UTF-8), a heap-buffer
          overflow occurs. Additionally, the loop iterating over
          cell characters can read past the end of the vterm array
          (ehdgks0627, un3xploitable).
Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure
          sufficient space. Add a boundary check to the character
          loop to prevent index out-of-bounds access.

Github Advisory:
GHSA-rvj2-jrf9-2phg

patch 9.2.0077: [security]: Crash when recovering a corrupted swap file
Problem:  memline: a crafted swap files with bogus pe_page_count/pe_bnum
          values could cause a multi-GB allocation via mf_get(), and
          invalid pe_old_lnum/pe_line_count values could cause a SEGV
          when passed to readfile() (ehdgks0627, un3xploitable)
Solution: Add bounds checks on pe_page_count and pe_bnum against
          mf_blocknr_max before descending into the block tree, and
          validate pe_old_lnum >= 1 and pe_line_count > 0 before calling
          readfile().

Github Advisory:
GHSA-r2gw-2x48-jj5p

patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
Problem:  A stack-buffer-overflow occurs when rendering a statusline
          with a multi-byte fill character on a very wide terminal.
          The size check in build_stl_str_hl() uses the cell width
          rather than the byte length, allowing the subsequent fill
          loop to write beyond the 4096-byte MAXPATHL buffer
          (ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
          the fill character (using MB_CHAR2LEN).

Github Advisory:
GHSA-gmqx-prf2-8mwf

Security:	Multiple (see commit message)

0 files changed, 0 insertions, 0 deletions