From: Markus Koschany <apo@debian.org>
Date: Mon, 7 Nov 2022 00:48:30 +0100
Subject: CVE-2022-3324

Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bfeb
---
 src/testdir/test_cmdline.vim | 22 ++++++++++++++++++++++
 src/window.c                 |  5 ++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 3878637..4a35201 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -620,5 +620,27 @@ func Test_report_error_with_composing()
   call assert_equal('yes', caught)
 endfunc
 
+" This was resulting in a window with negative width.
+" The test doesn't reproduce the illegal memory access though...
+func Test_cmdwin_split_often()
+  let lines = &lines
+  let columns = &columns
+  set t_WS=
+
+  try
+    set encoding=iso8859
+    set ruler
+    winsize 0 0
+    noremap 0 H
+    sil norm 0000000q:
+  catch /E36:/
+  endtry
+
+  bwipe!
+  set encoding=utf8
+  let &lines = lines
+  let &columns = columns
+endfunc
+
 
 set cpo&
diff --git a/src/window.c b/src/window.c
index 7c7f580..c4d97d6 100644
--- a/src/window.c
+++ b/src/window.c
@@ -1945,6 +1945,8 @@ win_equal_rec(
 		if (hnc)	    /* add next_curwin size */
 		{
 		    next_curwin_size -= p_wiw - (m - n);
+		    if (next_curwin_size < 0)
+			next_curwin_size = 0;
 		    new_size += next_curwin_size;
 		    room -= new_size - next_curwin_size;
 		}
@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_height)
     void
 win_new_width(win_T *wp, int width)
 {
-    wp->w_width = width;
+    // Should we give an error if width < 0?
+    wp->w_width = width < 0 ? 0 : width;
     wp->w_lines_valid = 0;
     changed_line_abv_curs_win(wp);
     invalidate_botline_win(wp);