- CVE-2021-3928: in suggest_trie_walk() only credit a non-word-char boundary with SCORE_NONWORD when preword is non-empty, so spell suggestions do not read uninitialized memory behind preword. - CVE-2021-3974: in nfa_regmatch() NFA_MARK / NFA_MARK_GT / NFA_MARK_LT, save reginput - regline and re-fetch regline via reg_getline() after getmark_buf() so use-after-free cannot occur when getmark_buf flushes the current line. - CVE-2022-0368: call check_pos(curbuf, &VIsual) at the end of u_undo_end() when Visual mode is active, so an undo that shortens the buffer cannot leave VIsual pointing past end-of-line / end- of-buffer. Adds a check_pos() helper in misc2.c. - CVE-2022-0696: in win_new_tabpage() and goto_tabpage_tp(), refuse to switch/create a tabpage while cmdwin_type != 0, emitting e_cmdwin instead of crashing on cmdline-window re-entry. - CVE-2022-1629: in find_next_quote(), after advancing past an escape character return -1 if the next byte is NUL so a trailing backslash cannot be read past end-of-line. - CVE-2022-1735: call new check_visual_pos() helper from changed_common() (misc1.c) and stop_insert() (edit.c) whenever Visual mode is active so a change that shrinks the buffer cannot leave VIsual pointing past end-of-line / end-of-buffer. - CVE-2022-1771: cap getcmdline() recursion at 50 via a static depth counter, emitting E169 "Command too recursive" on overflow to prevent crash from self-recursive cmdline input (e.g. the "=@" register loop). - CVE-2022-1898: in nv_brackets(), copy the identifier under the cursor with vim_strnsave() before calling find_pattern_in_path() for "]d"/"[d", so that a match in a modified/freed line cannot cause a use-after-free on ptr. - CVE-2022-1968: add get_line_and_copy() helper in search.c and use it instead of ml_get() in find_pattern_in_path(), so the regexp cannot leave line pointing into freed buffer memory when a mark invalidates the current line. - CVE-2022-2124: in current_quote() (search.c), break out of the selection-scan loop when line[i] is NUL so a changed line does not cause a read past end-of-line while iterating up to col_end.