diff -up vim80/src/ops.c.cve0261 vim80/src/ops.c
--- vim80/src/ops.c.cve0261 2022-01-26 14:30:27.475308323 +0100
+++ vim80/src/ops.c 2022-01-26 14:34:16.650933713 +0100
@@ -636,23 +636,30 @@ block_insert(
if (b_insert)
{
off = (*mb_head_off)(oldp, oldp + offset + spaces);
+ spaces -= off;
+ count -= off;
}
else
{
- off = (*mb_off_next)(oldp, oldp + offset);
- offset += off;
+ // spaces fill the gap, the character that's at the edge moves
+ // right
+ off = (*mb_head_off)(oldp, oldp + offset);
+ offset -= off;
}
spaces -= off;
count -= off;
}
#endif
- newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1);
+ // Make sure the allocated size matches what is actually copied below.
+ newp = alloc(STRLEN(oldp) + spaces + s_len
+ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
+ + count + 1);
if (newp == NULL)
continue;
/* copy up to shifted part */
- mch_memmove(newp, oldp, (size_t)(offset));
+ mch_memmove(newp, oldp, (size_t)offset);
oldp += offset;
/* insert pre-padding */
@@ -662,14 +669,21 @@ block_insert(
mch_memmove(newp + offset + spaces, s, (size_t)s_len);
offset += s_len;
- if (spaces && !bdp->is_short)
+ if (spaces > 0 && !bdp->is_short)
{
- /* insert post-padding */
- vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces));
- /* We're splitting a TAB, don't copy it. */
- oldp++;
- /* We allowed for that TAB, remember this now */
- count++;
+ if (*oldp == TAB)
+ {
+ // insert post-padding
+ vim_memset(newp + offset + spaces, ' ',
+ (size_t)(p_ts - spaces));
+ // we're splitting a TAB, don't copy it
+ oldp++;
+ // We allowed for that TAB, remember this now
+ count++;
+ }
+ else
+ // Not a TAB, no extra spaces
+ count = spaces;
}
if (spaces > 0)
@@ -2738,9 +2752,9 @@ op_insert(oparg_T *oap, long count1)
oap->start_vcol = t;
}
else if (oap->op_type == OP_APPEND
- && oap->end.col
+ && oap->start.col
#ifdef FEAT_VIRTUALEDIT
- + oap->end.coladd
+ + oap->start.coladd
#endif
>= curbuf->b_op_start_orig.col
#ifdef FEAT_VIRTUALEDIT
diff -up vim80/src/testdir/test_visual.vim.cve0261 vim80/src/testdir/test_visual.vim
--- vim80/src/testdir/test_visual.vim.cve0261 2022-01-26 14:30:27.476308325 +0100
+++ vim80/src/testdir/test_visual.vim 2022-01-26 14:36:03.482225225 +0100
@@ -254,3 +254,12 @@ func Test_virtual_replace2()
%d_
set bs&vim
endfunc
+
+func Test_visual_block_append_invalid_char()
+ " this was going over the end of the line
+ new
+ call setline(1, [' let xxx', 'xxxxx', 'xxxxxxxxxxx'])
+ exe "normal 0\<C-V>jjA-\<Esc>"
+ call assert_equal([' - let xxx', 'xxxxx -', 'xxxxxxxx-xxx'], getline(1, 3))
+ bwipe!
+endfunc