vim/backport-CVE-2022-2257.patch

From 083692d598139228e101b8c521aaef7bcf256e9a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 29 Jun 2022 21:16:58 +0100
Subject: [PATCH] patch 9.0.0009: going past the end of a menu item with only
 modifier

Problem:    Going past the end of a menu item with only modifier.
Solution:   Check for NUL.
---
 src/message.c             |  4 ++--
 src/testdir/test_menu.vim | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/message.c b/src/message.c
index 363dbe1..679a992 100644
--- a/src/message.c
+++ b/src/message.c
@@ -1735,8 +1735,8 @@ str2special(
            *sp = str + 1;
     }
     else
-        // single-byte character or illegal byte
-	*sp = str + 1;
+       // single-byte character, NUL or illegal byte
+       *sp = str + (*str == NUL ? 0 : 1);
 
     /* Make special keys and C0 control characters in <> form, also <M-Space>. 
      * Use <Space> only for lhs of a mapping. */
diff --git a/src/testdir/test_menu.vim b/src/testdir/test_menu.vim
index 0d6b78e..7e411cf 100644
--- a/src/testdir/test_menu.vim
+++ b/src/testdir/test_menu.vim
@@ -84,3 +84,17 @@ func Test_menu_commands()
 
   unlet g:did_menu
 endfun
+
+func Test_only_modifier()
+  exe "tmenu a.b \x80\xfc0"
+  let exp =<< trim [TEXT]
+  --- Menus ---
+  500 a
+    500 b
+        t  - <T-2-^@>
+  [TEXT]
+  call assert_equal(exp, split(execute('tmenu'), "\n"))
+
+  tunmenu a.b
+endfunc
+
-- 
1.8.3.1