From bd228fd097b41a798f90944b5d1245eddd484142 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 25 Nov 2021 10:50:12 +0000
Subject: [PATCH] patch 8.2.3669: buffer overflow with long help argument

Problem:    Buffer overflow with long help argument.
Solution:   Use snprintf().
---
 src/ex_cmds.c             | 3 +--
 src/testdir/test_help.vim | 8 ++++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 45c733b..8f6444f 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -5436,8 +5436,7 @@ find_help_tags(
 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
 							   && arg[2] != NUL)))
 	{
-	    STRCPY(d, "/\\\\");
-	    STRCPY(d + 3, arg + 1);
+           vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
 	    // Check for "/\\_$", should be "/\\_\$"
 	    if (d[3] == '_' && d[4] == '$')
 		STRCPY(d + 4, "\\$");
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index 5dd937a..c2aeb1f 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -55,3 +55,11 @@ func Test_help_local_additions()
   call delete('Xruntime', 'rf')
   let &rtp = rtp_save
 endfunc
+
+func Test_help_long_argument()
+  try
+    exe 'help \%' .. repeat('0', 1021)
+  catch
+    call assert_match("E149:", v:exception)
+  endtry
+endfunc
-- 
1.8.3.1