vim/backport-CVE-2022-2344.patch

From baefde14550231f6468ac2ed2ed495bc381c0c92 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 7 Jul 2022 19:59:49 +0100
Subject: [PATCH] patch 9.0.0046: reading past end of completion with duplicate
 match

Problem:    Reading past end of completion with duplicate match.
Solution:   Check string length
---
 src/insexpand.c                   |  3 ++-
 src/testdir/test_ins_complete.vim | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/insexpand.c b/src/insexpand.c
index bf98cee..50e0579 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -597,7 +597,8 @@ ins_compl_add(
 	{
 	    if (    !(match->cp_flags & CP_ORIGINAL_TEXT)
 		    && STRNCMP(match->cp_str, str, len) == 0
-		    && match->cp_str[len] == NUL)
+		    && ((int)STRLEN(match->cp_str) <= len
+						 || match->cp_str[len] == NUL))
 		return NOTDONE;
 	    match = match->cp_next;
 	} while (match != NULL && match != compl_first_match);
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index e48a72c..8f584d3 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -380,3 +380,13 @@ func Test_ins_completeslash()
   set completeslash=
 endfunc
 
+func Test_ins_complete_add()
+  " this was reading past the end of allocated memory
+  new
+  norm o
+  norm 7o€€
+  sil! norm o
+
+  bwipe!
+endfunc
+
-- 
1.8.3.1