- CVE-2022-2182: in do_one_cmd(), after ";" sets curwin->w_cursor.lnum to ea.line2, call check_cursor() instead of check_cursor_lnum() so the column is validated too, and fall back to check_cursor_col() when ea.line2 is zero, preventing read past end-of-line on ":0;'{". - CVE-2022-2206: in check_shellsize(), clamp cmdline_row and msg_row to Rows - 1 after limit_screen_size() so a shrinking terminal cannot leave those values referencing freed screen rows. - CVE-2022-2257: in str2special(), when the byte is single-byte set *sp = str + (*str == NUL ? 0 : 1) so the caller cannot walk past the terminating NUL when a menu item ends in a modifier-only key. - CVE-2022-2849: in latin_ptr2len()/dbcs_ptr2len(), return 0 when *p == NUL so loops that advance by mb_ptr2len() cannot walk past the NUL terminator (matches the contract documented in src/globals.h). - CVE-2022-3352: in spell_load_lang(), snapshot curbuf before the SpellFileMissing autocommand and break out of the retry loop if the autocommand deleted/replaced curbuf, preventing a use-after-free on the cached "lang"/"curbuf" pointer. Uses sl.sl_lang (stack copy) for the apply_autocmds pattern to survive buffer deletion. - CVE-2023-2609: in get_register() (ops.c), treat y_current->y_array == NULL the same as y_size == 0 and set reg->y_array to NULL, so an invalid/NULL register contents cannot be walked as a valid string vector. - CVE-2021-3778: in find_match_text() (regexp_nfa.c), advance by utf_ptr2len(regline + col + len2) under enc_utf8 instead of MB_CHAR2LEN(c2), so an invalid UTF-8 byte cannot cause a read past the end of the line. - CVE-2022-1616: in append_command() (ex_docmd.c), change the buffer-space check to "d - IObuff + 5 < IOSIZE" and skip copying a multibyte character whose length would overrun IObuff, so an invalid command with composing chars cannot overflow the error- message buffer. - CVE-2022-1897: in undo_time() (undo.c), call text_locked() / text_locked_msg() and return early, so :undo / :earlier / g- cannot run while the text is locked (e.g. inside a :substitute callback) and free a buffer the caller is still walking. - CVE-2022-2125: in get_lisp_indent() (misc1.c), after the double-quoted-string skip loop break out of the outer scan loop when *that is NUL so lisp indenting cannot walk past end-of-line on an unterminated quote.