- CVE-2021-4019: replace the unbounded STRCPY pair in find_help_tags() with vim_snprintf bounded by IOSIZE to prevent heap buffer overflow with long :help arguments starting with "\%_z@". - CVE-2021-4192: re-fetch regline/reginput via reg_getline() after getvvcol() in reg_match_visual() so the cached line pointer cannot become a use-after-free when getvvcol flushes the line buffer. - CVE-2021-4193: clamp pos->col to the first NUL in getvcol() so /\%V searches cannot read past the end of the line. - CVE-2022-1720: in get_visual_text(), drop a trailing NUL from non-mbyte selection length and guard the mbyte correction with *lenp > 0 so "gf" in Visual block mode does not read past the line. - CVE-2022-2126: also require sp->ts_fidx > 0 before decrementing ts_fidx in the DIFF_INSERT branch of suggest_trie_walk() so spell suggestion cannot read before the start of the bad-word buffer. - CVE-2022-2210: initialise off = 0 at the top of the deleted > 0 branch of diff_mark_adjust_tp() and only compute the real offset in the "5. delete lines at or just before top of diff" case, so a diff-block full-delete does not use a stale offset. - CVE-2022-2285: place a NUL terminator at tp[len] before key-name matching in check_termcode() so crafted typeahead cannot be read past the end of the buffer. - CVE-2022-2345: always vim_strsave(newsub) into reg_prev_sub in regtilde() and track an allocated regtilde result in sub_copy in do_sub() so a recursive :s cannot use freed memory.