From: Markus Koschany Date: Wed, 19 Oct 2022 20:05:49 +0200 Subject: CVE-2021-4193 Origin: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b --- src/charset.c | 13 +++++++++---- src/testdir/test_regexp_latin.vim | 8 ++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) --- a/src/charset.c +++ b/src/charset.c @@ -1244,10 +1244,15 @@ getvcol( posptr = NULL; /* continue until the NUL */ else { - /* Special check for an empty line, which can happen on exit, when - * ml_get_buf() always returns an empty string. */ - if (*ptr == NUL) - pos->col = 0; + colnr_T i; + + // In a few cases the position can be beyond the end of the line. + for (i = 0; i < pos->col; ++i) + if (ptr[i] == NUL) + { + pos->col = i; + break; + } posptr = ptr + pos->col; if (has_mbyte) /* always start on the first byte */ --- a/src/testdir/test_regexp_latin.vim +++ b/src/testdir/test_regexp_latin.vim @@ -101,3 +101,11 @@ func Test_using_visual_position() bwipe! endfunc +func Test_using_invalid_visual_position() + " this was going beyond the end of the line + new + exe "norm 0o000\0\$s0" + /\%V + bwipe! +endfunc +