new file mode 100644
@@ -0,0 +1,37 @@
+From 40aa9802ef56d3cdbe256b4c9e58049953051a2d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 15 Nov 2021 14:34:50 +0800
+Subject: [PATCH] patch 8.2.3489: ml_get error after search with range
+
+Problem: ml_get error after search with range.
+Solution: Limit the line number to the buffer line count.
+
+CVE: CVE-2021-3875
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ src/ex_docmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fb07450f8..89d33ba90 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3586,8 +3586,10 @@ get_address(
+
+ // When '/' or '?' follows another address, start from
+ // there.
+- if (lnum != MAXLNUM)
+- curwin->w_cursor.lnum = lnum;
++ if (lnum > 0 && lnum != MAXLNUM)
++ curwin->w_cursor.lnum =
++ lnum > curbuf->b_ml.ml_line_count
++ ? curbuf->b_ml.ml_line_count : lnum;
+
+ // Start a forward search at the end of the line (unless
+ // before the first line).
+--
+2.17.1
+
@@ -22,6 +22,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
file://CVE-2021-3903.patch \
file://CVE-2021-3872.patch \
+ file://CVE-2021-3875.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"