From: zeertzjq <zeertzjq@outlook.com>
Date: Tue, 2 Apr 2024 17:01:14 +0000 (+0200)
Subject: patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in ... 
X-Git-Tag: v9.1.0254^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a419e07a705675ac159218f42c1daa151d2ceea;p=thirdparty%2Fvim.git

patch 9.1.0254: [security]: Heap buffer overflow when calling complete_add() in 'cfu'

Problem:  [security]: Heap buffer overflow when calling complete_add()
          in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)

closes: #14391

Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/insexpand.c b/src/insexpand.c
index 9b5e5de64c..93a56a8bd3 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -2741,6 +2741,7 @@ expand_by_function(int type, char_u *base)
     --textlock;
 
     curwin->w_cursor = pos;	// restore the cursor position
+    check_cursor();  // make sure cursor position is valid, just in case
     validate_cursor();
     if (!EQUAL_POS(curwin->w_cursor, pos))
     {
@@ -4606,6 +4607,7 @@ get_userdefined_compl_info(colnr_T curs_col UNUSED)
 
     State = save_State;
     curwin->w_cursor = pos;	// restore the cursor position
+    check_cursor();  // make sure cursor position is valid, just in case
     validate_cursor();
     if (!EQUAL_POS(curwin->w_cursor, pos))
     {
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 376d82ff55..eb89a15c53 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -2429,4 +2429,26 @@ func Test_complete_changed_complete_info()
   call StopVimInTerminal(buf)
 endfunc
 
+func Test_completefunc_first_call_complete_add()
+  new
+
+  func Complete(findstart, base) abort
+    if a:findstart
+      let col = col('.')
+      call complete_add('#')
+      return col - 1
+    else
+      return []
+    endif
+  endfunc
+
+  set completeopt=longest completefunc=Complete
+  " This used to cause heap-buffer-overflow
+  call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:')
+
+  delfunc Complete
+  set completeopt& completefunc&
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index 4c7ab84362..abb028b6dc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    254,
 /**/
     253,
 /**/