vim/backport-CVE-2022-2571.patch

From a6f9e300161f4cb54713da22f65b261595e8e614 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Jul 2022 21:51:37 +0100
Subject: [PATCH] patch 9.0.0102: reading past end of line with insert
mode
 completion

Problem:    Reading past end of line with insert mode completion.
Solution:   Check text length.
---
 src/insexpand.c                   | 2 +-
 src/testdir/test_ins_complete.vim | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/insexpand.c b/src/insexpand.c
index 88dbac6..a23d2d6 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2998,7 +2998,7 @@ ins_compl_get_exp(pos_T *ini)
 		{
 		    char_u	*tmp_ptr = ptr;
 
-		    if (compl_cont_status & CONT_ADDING)
+		    if (compl_cont_status & CONT_ADDING && compl_length <= (int)STRLEN(tmp_ptr))
 		    {
 			tmp_ptr += compl_length;
 			// Skip if already inside a word.
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 5e7353c..39ece18 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -418,3 +418,12 @@ func Test_infercase_very_long_line()
   bwipe!
   set noic noinfercase
 endfunc
+
+func Test_ins_complete_end_of_line()
+  " this was reading past the end of the line
+  new  
+  norm 8o€ý 
+  sil! norm o
+
+  bwipe!
+endfunc
-- 
2.27.0