From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 20:01:41 +0200
Subject: CVE-2021-4192

Origin: https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
---
 src/regexp.c                      | 9 +++++++--
 src/testdir/test_regexp_latin.vim | 8 ++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

--- a/src/regexp.c
+++ b/src/regexp.c
@@ -4112,9 +4112,9 @@ reg_match_visual(void)
     if (lnum < top.lnum || lnum > bot.lnum)
 	return FALSE;
 
+    col = (colnr_T)(rex.input - rex.line);
     if (mode == 'v')
     {
-	col = (colnr_T)(rex.input - rex.line);
 	if ((lnum == top.lnum && col < top.col)
 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
 	    return FALSE;
@@ -4129,7 +4129,12 @@ reg_match_visual(void)
 	    end = end2;
 	if (top.col == MAXCOL || bot.col == MAXCOL)
 	    end = MAXCOL;
-	cols = win_linetabsize(wp, rex.line, (colnr_T)(rex.input - rex.line));
+
+	// getvvcol() flushes rex.line, need to get it again
+	rex.line = reg_getline(rex.lnum);
+	rex.input = rex.line + col;
+
+	cols = win_linetabsize(wp, rex.line, col);
 	if (cols < start || cols > end - (*p_sel == 'e'))
 	    return FALSE;
     }
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -93,3 +93,11 @@ func Test_using_mark_position()
   bwipe!
 endfunc
 
+func Test_using_visual_position()
+  " this was using freed memory
+  new
+  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+  /\%V
+  bwipe!
+endfunc
+