CVE: CVE-2021-3973
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>

From b6154e9f530544ddc3130d981caae0dabc053757 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 17 Nov 2021 18:00:31 +0000
Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a
 file name  Problem:    Crash when using CTRL-W f without finding
 a file name. Solution:   Bail out when the file name length is zero.

---
 src/findfile.c              | 8 ++++++++
 src/normal.c                | 6 ++++--
 src/testdir/test_visual.vim | 8 ++++++++
 src/version.c               | 2 ++
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/findfile.c b/src/findfile.c
index dba547da1..5764fd7b8 100644
--- a/src/findfile.c
+++ b/src/findfile.c
@@ -1727,6 +1727,9 @@ find_file_in_path_option(
     proc->pr_WindowPtr = (APTR)-1L;
 # endif
 
+    if (len == 0)
+	return NULL;
+
     if (first == TRUE)
     {
 	// copy file name into NameBuff, expanding environment variables
@@ -2094,7 +2097,12 @@ find_file_name_in_path(
     int		c;
 # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
     char_u	*tofree = NULL;
+# endif
 
+    if (len == 0)
+	return NULL;
+
+# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL)
     if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL)
     {
 	tofree = eval_includeexpr(ptr, len);
diff --git a/src/normal.c b/src/normal.c
index 7cb959257..f0084f2ac 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -3778,8 +3778,10 @@ get_visual_text(
 	    *pp = ml_get_pos(&VIsual);
 	    *lenp = curwin->w_cursor.col - VIsual.col + 1;
 	}
-	if (has_mbyte)
-	    // Correct the length to include the whole last character.
+	if (**pp == NUL)
+	    *lenp = 0;
+	if (has_mbyte && *lenp > 0)
+	    // Correct the length to include all bytes of the last character.
 	    *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1;
     }
     reset_VIsual_and_resel();
diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index ae281238e..0705fdb57 100644
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs()
   bwipe!
 endfunc
 
+func Test_visual_block_ctrl_w_f()
+  " Emtpy block selected in new buffer should not result in an error.
+  au! BufNew foo sil norm f
+  edit foo
+
+  au! BufNew
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 52be3c39d..59a314b3a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3611,
 /**/
     3582,
 /**/