1 files changed, 51 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-4192.patch b/debian/patches/CVE-2021-4192.patch
new file mode 100644
index 0000000..eccc96b
--- /dev/null
+++ b/debian/patches/CVE-2021-4192.patch
@@ -0,0 +1,51 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 20:01:41 +0200
+Subject: CVE-2021-4192
+
+Origin: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
+---
+ src/regexp.c                      | 9 +++++++--
+ src/testdir/test_regexp_latin.vim | 8 ++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/src/regexp.c
++++ b/src/regexp.c
+@@ -4112,9 +4112,9 @@ reg_match_visual(void)
+     if (lnum < top.lnum || lnum > bot.lnum)
+ 	return FALSE;
+ 
++    col = (colnr_T)(rex.input - rex.line);
+     if (mode == 'v')
+     {
+-	col = (colnr_T)(rex.input - rex.line);
+ 	if ((lnum == top.lnum && col < top.col)
+ 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ 	    return FALSE;
+@@ -4129,7 +4129,12 @@ reg_match_visual(void)
+ 	    end = end2;
+ 	if (top.col == MAXCOL || bot.col == MAXCOL)
+ 	    end = MAXCOL;
+-	cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
++
++	// getvvcol() flushes rex.line, need to get it again
++	rex.line = reg_getline(rex.lnum);
++	rex.input = rex.line + col;
++
++	cols = win_linetabsize(wp, rex.line, col);
+ 	if (cols < start || cols > end - (*p_sel == 'e'))
+ 	    return FALSE;
+     }
+--- a/src/testdir/test_regexp_latin.vim
++++ b/src/testdir/test_regexp_latin.vim
+@@ -93,3 +93,11 @@ func Test_using_mark_position()
+   bwipe!
+ endfunc
+ 
++func Test_using_visual_position()
++  " this was using freed memory
++  new
++  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
++  /\%V
++  bwipe!
++endfunc
++