From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 20 Jan 2022 12:10:48 +0000
Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line

Problem:    Reading beyond the end of a line.
Solution:   For block insert only use the offset for correcting the length.
---
 src/ops.c                   | 20 ++------------------
 src/testdir/test_visual.vim |  9 +++++++++
 2 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/src/ops.c b/src/ops.c
index 13e6bdb..2122ff3 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -528,24 +528,8 @@ block_insert(
 	}
 
 	if (has_mbyte && spaces > 0)
-	{
-	    int off;
-
-	    // Avoid starting halfway a multi-byte character.
-	    if (b_insert)
-	    {
-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
-		spaces -= off;
-		count -= off;
-	    }
-	    else
-	    {
-		// spaces fill the gap, the character that's at the edge moves
-		// right
-		off = (*mb_head_off)(oldp, oldp + offset);
-		offset -= off;
-	    }
-	}
+	    // avoid copying part of a multi-byte character
+	    offset -= (*mb_head_off)(oldp, oldp + offset);
 
 	// Make sure the allocated size matches what is actually copied below.
 	newp = alloc(STRLEN(oldp) + spaces + s_len
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 84a8981..3ed927a 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -913,3 +913,12 @@ func Test_visual_block_append_invalid_char()
   bwipe!
 endfunc
 
+func Test_visual_block_insert_round_off()
+  new
+  " The number of characters are tuned to fill a 4096 byte allocated block,
+  " so that valgrind reports going over the end.
+  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
+  exe "normal gg0\<C-V>GI" .. repeat('0', 1320) .. "\<Esc>"
+  bwipe!
+endfunc
+
-- 
2.27.0