diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
--- vim80/src/ex_cmds.c.cve1785	2022-06-10 10:46:33.818286626 +0200
+++ vim80/src/ex_cmds.c	2022-06-10 10:58:04.009515524 +0200
@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
 		/* Save flags for recursion.  They can change for e.g.
 		 * :s/^/\=execute("s#^##gn") */
 		subflags_save = subflags;
+
+		// Disallow changing text or switching window in an expression.
+		++textlock;
 #endif
 		/* get length of substitution part */
 		sublen = vim_regsub_multi(&regmatch,
 				    sub_firstlnum - regmatch.startpos[0].lnum,
 				    sub, sub_firstline, FALSE, p_magic, TRUE);
 #ifdef FEAT_EVAL
+		--textlock;
+
 		/* Don't keep flags set by a recursive call. */
 		subflags = subflags_save;
 		if (subflags.do_count)
@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
 		new_end += copy_len;
 
+#ifdef FEAT_EVAL
+		++textlock;
+#endif
 		(void)vim_regsub_multi(&regmatch,
 				    sub_firstlnum - regmatch.startpos[0].lnum,
 					   sub, new_end, TRUE, p_magic, TRUE);
+#ifdef FEAT_EVAL
+		--textlock;
+#endif
 		sub_nsubs++;
 		did_sub = TRUE;
 
diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
--- vim80/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:46:33.818286626 +0200
+++ vim80/src/testdir/test_substitute.vim	2022-06-10 10:59:17.168437630 +0200
@@ -500,3 +500,16 @@ func Test_sub_cmd_8()
   enew!
   set titlestring&
 endfunc
+
+" This was switching windows in between computing the length and using it.
+func Test_sub_change_window()
+  silent! lfile
+  sil! norm o0000000000000000000000000000000000000000000000000000
+  func Repl()
+    lopen
+  endfunc
+  silent!  s/\%')/\=Repl()
+  bwipe!
+  bwipe!
+  delfunc Repl
+endfunc