From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 19:41:33 +0200
Subject: CVE-2021-3984

Origin: https://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655
---
 src/indent.c                 | 10 +++++-----
 src/testdir/test_cindent.vim | 12 ++++++++++++
 2 files changed, 17 insertions(+), 5 deletions(-)

--- a/src/indent.c
+++ b/src/indent.c
@@ -1551,10 +1551,10 @@ cin_skip2pos(pos_T *trypos)
     static pos_T *
 find_start_brace(void)	    // XXX
 {
-    pos_T	cursor_save;
-    pos_T	*trypos;
-    pos_T	*pos;
-    static pos_T	pos_copy;
+    pos_T	    cursor_save;
+    pos_T	    *trypos;
+    pos_T	    *pos;
+    static pos_T    pos_copy;
 
     cursor_save = curwin->w_cursor;
     while ((trypos = findmatchlimit(NULL, '{', FM_BLOCKSTOP, 0)) != NULL)
@@ -1568,7 +1568,7 @@ find_start_brace(void)	    // XXX
 		       && (pos = ind_find_start_CORS(NULL)) == NULL) // XXX
 	    break;
 	if (pos != NULL)
-	    curwin->w_cursor.lnum = pos->lnum;
+	    curwin->w_cursor = *pos;
     }
     curwin->w_cursor = cursor_save;
     return trypos;
--- a/src/testdir/test_cindent.vim
+++ b/src/testdir/test_cindent.vim
@@ -102,4 +102,16 @@ func Test_cindent_expr()
   bw!
 endfunc
 
+func Test_find_brace_backwards()
+  " this was looking beyond the end of the line
+  new
+  norm R/*
+  norm o0{
+  norm o//
+  norm V{=
+  call assert_equal(['/*', '   0{', '//'], getline(1, 3))
+  bwipe!
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab