vim/backport-CVE-2022-2286.patch

From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 19:58:30 +0100
Subject: [PATCH] patch 9.0.0020: with some completion reading past end of
 string

Problem:    With some completion reading past end of string.
Solution:   Check the length of the string.
---
 src/insexpand.c                   | 14 ++++++++++++--
 src/testdir/test_ins_complete.vim |  8 ++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/insexpand.c b/src/insexpand.c
index 4a5feac..734550f 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2209,11 +2209,21 @@ ins_compl_stop(int c, int prev_mode, int retval)
     // but only do this, if the Popup is still visible
     if (c == Ctrl_E)
     {
+	char_u *p = NULL;
+
 	ins_compl_delete();
 	if (compl_leader != NULL)
-	    ins_bytes(compl_leader + get_compl_len());
+	    p = compl_leader;
 	else if (compl_first_match != NULL)
-	    ins_bytes(compl_orig_text + get_compl_len());
+	    p = compl_orig_text;
+	if (p != NULL)
+	{
+	    int	    compl_len = get_compl_len();
+	    int	    len = (int)STRLEN(p);
+
+	    if (len > compl_len)
+		ins_bytes_len(p + compl_len, len - compl_len);
+	}
 	retval = TRUE;
     }
 
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 365c646..20c2b4f 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2184,4 +2184,12 @@ func Test_complete_smartindent()
   delfunction! FooBarComplete
 endfunc
 
+func Test_complete_overrun()
+  " this was going past the end of the copied text
+  new
+  sil norm si”0s0
+  bwipe!
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab
-- 
1.8.3.1