From: Markus Koschany <apo@debian.org>
Date: Sun, 30 Oct 2022 22:14:06 +0100
Subject: CVE-2022-0943

Origin: https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3
---
 src/spell.c                |  4 ++++
 src/testdir/test_spell.vim | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/src/spell.c b/src/spell.c
index 758a12e..2d36953 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3259,6 +3259,10 @@ spell_suggest(int count)
 	    curwin->w_cursor.col = VIsual.col;
 	++badlen;
 	end_visual_mode();
+	// make sure we don't include the NUL at the end of the line
+	line = ml_get_curline();
+	if (badlen > STRLEN(line) - curwin->w_cursor.col)
+	    badlen = STRLEN(line) - curwin->w_cursor.col;
     }
     /* Find the start of the badly spelled word. */
     else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 0a7d8d4..50e2d54 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -126,6 +126,23 @@ func Test_spellreall()
   bwipe!
 endfunc
 
+func Test_spellsuggest_visual_end_of_line()
+  set spell
+  let enc_save = &encoding
+  set encoding=iso8859
+
+  " This was reading beyond the end of the line.
+  norm R00000000000
+  sil norm ^V0
+  sil! norm ^Vi00000)
+  sil! norm ^Vi00000)
+  call feedkeys("\<CR>")
+  norm z=
+
+  let &encoding = enc_save
+  set nospell
+endfunc
+
 func Test_spellinfo()
   new