patch 9.1.1443: potential buffer underflow in insertchar()

Problem:  potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
          (jinyaoguo)

When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.

This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.

closes: #17476

Signed-off-by: jinyaoguo <guo846@purdue.edu>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/edit.c b/src/edit.c
index b4e6767f2ca063cb9868ce6df431e9ece1747edd..9cc55ef3d756e4a1bc363e37c04ce55303670dd7 100644 (file)
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@ insertchar(
            i -= middle_len;
 
            // Check some expected things before we go on
-           if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+           if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
            {
                // Backspace over all the stuff we want to replace
                backspace_until_column(i);

diff --git a/src/version.c b/src/version.c
index 6e0081e9bb167bb055f09809689c7beef923877c..491b51690e8077edc0f1573b10030e9ef83a305f 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1443,
 /**/
     1442,
 /**/