From: Markus Koschany <apo@debian.org>
Date: Mon, 7 Nov 2022 00:35:02 +0100
Subject: CVE-2022-3234

Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e0d
---
 src/ops.c                        | 12 ++++++++++--
 src/testdir/test_virtualedit.vim | 14 ++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/ops.c b/src/ops.c
index 84b5f90..c2319b1 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c)
 
 	while (LTOREQ_POS(curwin->w_cursor, oap->end))
 	{
+	    int done = FALSE;
+
 	    n = gchar_cursor();
 	    if (n != NUL)
 	    {
@@ -2305,6 +2307,7 @@ op_replace(oparg_T *oap, int c)
 		    if (curwin->w_cursor.lnum == oap->end.lnum)
 			oap->end.col += (*mb_char2len)(c) - (*mb_char2len)(n);
 		    replace_character(c);
+		    done = TRUE;
 		}
 		else
 		{
@@ -2323,10 +2326,15 @@ op_replace(oparg_T *oap, int c)
 			if (curwin->w_cursor.lnum == oap->end.lnum)
 			    getvpos(&oap->end, end_vcol);
 		    }
-		    PBYTE(curwin->w_cursor, c);
+		    // with "coladd" set may move to just after a TAB
+		    if (gchar_cursor() != NUL)
+		    {
+			PBYTE(curwin->w_cursor, c);
+			done = TRUE;
+		    }
 		}
 	    }
-	    else if (virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
+	    if (!done && virtual_op && curwin->w_cursor.lnum == oap->end.lnum)
 	    {
 		int virtcols = oap->end.coladd;
 
diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim
index 67adede..6b8fdfd 100644
--- a/src/testdir/test_virtualedit.vim
+++ b/src/testdir/test_virtualedit.vim
@@ -73,3 +73,17 @@ func Test_edit_CTRL_G()
   bwipe!
   set virtualedit=
 endfunc
+
+" this was replacing the NUL at the end of the line
+func Test_virtualedit_replace_after_tab()
+  new
+  s/\v/	0
+  set ve=all
+  let @" = ''
+  sil! norm vPvr0
+
+  call assert_equal("\t0", getline(1))
+  set ve&
+  bwipe!
+endfunc
+