vim/backport-CVE-2022-2286.patch

From f12129f1714f7d2301935bb21d896609bdac221c Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 1 Jul 2022 19:58:30 +0100
Subject: [PATCH] patch 9.0.0020: with some completion reading past end of
 string

Problem:    With some completion reading past end of string.
Solution:   Check the length of the string.
---
 src/insexpand.c                   | 14 ++++++++++++--
 src/testdir/test_ins_complete.vim |  7 +++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/insexpand.c b/src/insexpand.c
index 50e0579..66a836e 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2038,11 +2038,21 @@ ins_compl_prep(int c)
 	    // but only do this, if the Popup is still visible
 	    if (c == Ctrl_E)
 	    {
+        	char_u *p = NULL;
+
 		ins_compl_delete();
 		if (compl_leader != NULL)
-		    ins_bytes(compl_leader + ins_compl_len());
+        	    p = compl_leader;
 		else if (compl_first_match != NULL)
-		    ins_bytes(compl_orig_text + ins_compl_len());
+        	    p = compl_orig_text;
+        	if (p != NULL)
+        	{
+        	    int	    compl_len = ins_compl_len();
+        	    int	    len = (int)STRLEN(p);
+
+        	    if (len > compl_len)
+        		ins_bytes_len(p + compl_len, len - compl_len);
+        	}
 		retval = TRUE;
 	    }
 
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 8f584d3..b7cfd29 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -390,3 +390,10 @@ func Test_ins_complete_add()
   bwipe!
 endfunc
 
+func Test_complete_overrun()
+  " this was going past the end of the copied text
+  new
+  sil norm si”0s0
+  bwipe!
+endfunc
+
-- 
1.8.3.1