File vim-8.0.1568-CVE-2022-0413.patch of Package vim.23083

--- vim-8.0.1568.orig/src/ex_cmds.c	2022-02-03 15:23:54.758855898 +0200
+++ vim-8.0.1568/src/ex_cmds.c	2022-02-03 15:21:46.729669927 +0200
@@ -4777,6 +4777,7 @@
     int		save_do_all;		/* remember user specified 'g' flag */
     int		save_do_ask;		/* remember user specified 'c' flag */
     char_u	*pat = NULL, *sub = NULL;	/* init for GCC */
+    char_u	*sub_copy = NULL;
     int		delimiter;
     int		sublen;
     int		got_quit = FALSE;
@@ -5072,11 +5073,20 @@
     sub_firstline = NULL;
 
     /*
-     * ~ in the substitute pattern is replaced with the old pattern.
-     * We do it here once to avoid it to be replaced over and over again.
-     * But don't do it when it starts with "\=", then it's an expression.
+     * If the substitute pattern starts with "\=" then it's an expression.
+     * Make a copy, a recursive function may free it.
+     * Otherwise, '~' in the substitute pattern is replaced with the old
+     * pattern.  We do it here once to avoid it to be replaced over and over
+     * again.
      */
-    if (!(sub[0] == '\\' && sub[1] == '='))
+    if (sub[0] == '\\' && sub[1] == '=')
+    {
+	sub = vim_strsave(sub);
+	if (sub == NULL)
+	    return;
+	sub_copy = sub;
+    }
+    else
 	sub = regtilde(sub, p_magic);
 
     /*
@@ -5835,6 +5845,7 @@
 #endif
 
     vim_regfree(regmatch.regprog);
+    vim_free(sub_copy);
 
     /* Restore the flag values, they can be used for ":&&". */
     subflags.do_all = save_do_all;