vim-patch:8.2.4969: changing text in Visual mode may cause invalid memory access

Problem:    Changing text in Visual mode may cause invalid memory access.
Solution:   Check the Visual position after making a change.
https://github.com/vim/vim/commit/7ce5b2b590256ce53d6af28c1d203fb3bc1d2d97

4 files changed, 34 insertions, 7 deletions

diff --git a/src/nvim/change.c b/src/nvim/change.c
index a21665dc23..94e5a19edc 100644
--- a/src/nvim/change.c
+++ b/src/nvim/change.c
@@ -209,6 +209,10 @@ static void changed_common(linenr_T lnum, colnr_T col, linenr_T lnume, long xtra
     curwin->w_changelistidx = curbuf->b_changelistlen;
   }
 
+  if (VIsual_active) {
+    check_visual_pos();
+  }
+
   FOR_ALL_TAB_WINDOWS(tp, wp) {
     if (wp->w_buffer == curbuf) {
       // Mark this window to be redrawn later.
diff --git a/src/nvim/cursor.c b/src/nvim/cursor.c
index 11c734479c..1446257f7e 100644
--- a/src/nvim/cursor.c
+++ b/src/nvim/cursor.c
@@ -399,6 +399,24 @@ void check_cursor(void)
   check_cursor_col();
 }
 
+/// Check if VIsual position is valid, correct it if not.
+/// Can be called when in Visual mode and a change has been made.
+void check_visual_pos(void)
+{
+  if (VIsual.lnum > curbuf->b_ml.ml_line_count) {
+    VIsual.lnum = curbuf->b_ml.ml_line_count;
+    VIsual.col = 0;
+    VIsual.coladd = 0;
+  } else {
+    int len = (int)STRLEN(ml_get(VIsual.lnum));
+
+    if (VIsual.col > len) {
+      VIsual.col = len;
+      VIsual.coladd = 0;
+    }
+  }
+}
+
 /// Make sure curwin->w_cursor is not on the NUL at the end of the line.
 /// Allow it when in Visual mode and 'selection' is not "old".
 void adjust_cursor_col(void)
diff --git a/src/nvim/edit.c b/src/nvim/edit.c
index 357e9184d7..aa77c03b48 100644
--- a/src/nvim/edit.c
+++ b/src/nvim/edit.c
@@ -6770,13 +6770,8 @@ static void stop_insert(pos_T *end_insert_pos, int esc, int nomove)
 
       // <C-S-Right> may have started Visual mode, adjust the position for
       // deleted characters.
-      if (VIsual_active && VIsual.lnum == curwin->w_cursor.lnum) {
-        int len = (int)STRLEN(get_cursor_line_ptr());
-
-        if (VIsual.col > len) {
-          VIsual.col = len;
-          VIsual.coladd = 0;
-        }
+      if (VIsual_active) {
+        check_visual_pos();
       }
     }
   }
diff --git a/src/nvim/testdir/test_visual.vim b/src/nvim/testdir/test_visual.vim
index 42209f8ddd..41c29c5bb0 100644
--- a/src/nvim/testdir/test_visual.vim
+++ b/src/nvim/testdir/test_visual.vim
@@ -1258,6 +1258,16 @@ func Test_visual_block_append_invalid_char()
   set isprint&
 endfunc
 
+func Test_visual_block_with_substitute()
+  " this was reading beyond the end of the line
+  new
+  norm a0)
+  sil! norm  O
+  s/)
+  sil! norm 
+  bwipe!
+endfunc
+
 func Test_visual_reselect_with_count()
   " this was causing an illegal memory access
   let lines =<< trim END