diff -up vim82/src/charset.c.cve4193 vim82/src/charset.c

--- vim82/src/charset.c.cve4193	2021-03-22 10:02:42.000000000 +0100

+++ vim82/src/charset.c	2022-01-13 10:14:55.634913386 +0100

@@ -1232,10 +1232,15 @@ getvcol(

 	posptr = NULL;  // continue until the NUL

     else

     {

-	// Special check for an empty line, which can happen on exit, when

-	// ml_get_buf() always returns an empty string.

-	if (*ptr == NUL)

-	    pos->col = 0;

+	colnr_T i;

+

+	// In a few cases the position can be beyond the end of the line.

+	for (i = 0; i < pos->col; ++i)

+	    if (ptr[i] == NUL)

+	    {

+		pos->col = i;

+		break;

+	    }

 	posptr = ptr + pos->col;

 	if (has_mbyte)

 	    // always start on the first byte

diff -up vim82/src/testdir/test_regexp_latin.vim.cve4193 vim82/src/testdir/test_regexp_latin.vim

--- vim82/src/testdir/test_regexp_latin.vim.cve4193	2022-01-13 10:14:55.634913386 +0100

+++ vim82/src/testdir/test_regexp_latin.vim	2022-01-13 10:17:01.905292715 +0100

@@ -938,4 +938,12 @@ func Test_regexp_last_subst_string()

   close!

 endfunc

+func Test_using_invalid_visual_position()

+  " this was going beyond the end of the line

+  new

+  exe "norm 0o000\<Esc>0\<C-V>$s0"

+  /\%V

+  bwipe!

+endfunc

+

 " vim: shiftwidth=2 sts=2 expandtab