patch 9.1.1609: complete: Heap-buffer overflow with complete function

Problem:  complete: Heap-buffer overflow with complete function
          (zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).

fixes: #17907
closes: #17934

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Girish Palya <girishji@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/insexpand.c b/src/insexpand.c
index 03d946bb89672abaf3deb61598ee787c0a0aa298..5b4afb9e4320cf4435ef3a4dfe6540001dc61fa4 100644 (file)
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -247,7 +247,6 @@ typedef struct cpt_source_T
 #endif
 } cpt_source_T;
 
-#define STARTCOL_NONE  -9
 static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources
 static int         cpt_sources_count;  // Total number of completion sources specified in the 'cpt' option
 static int         cpt_sources_index = -1;  // Index of the current completion source being expanded
@@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
                else
                    startcol = -2;
            }
+           else if (startcol < 0 || startcol > curwin->w_cursor.col)
+               startcol = curwin->w_cursor.col;
            cpt_sources_array[idx].cs_startcol = startcol;
        }
        else
-           cpt_sources_array[idx].cs_startcol = STARTCOL_NONE;
+           cpt_sources_array[idx].cs_startcol = -3;
 
        (void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
        idx++;
@@ -7495,6 +7496,8 @@ cpt_compl_refresh(void)
                    else
                        startcol = -2;
                }
+               else if (startcol < 0 || startcol > curwin->w_cursor.col)
+                   startcol = curwin->w_cursor.col;
                cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
                if (ret == OK)
                {
@@ -7502,9 +7505,6 @@ cpt_compl_refresh(void)
                    get_cpt_func_completion_matches(cb);
                }
            }
-           else
-               cpt_sources_array[cpt_sources_index].cs_startcol
-                   = STARTCOL_NONE;
        }
 
        (void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p

diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 4ec1f357e2a3d7e3f31986927bbd197a70caac2f..560b2c424eceee22b2a24f237abe32dfa425959a 100644 (file)
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -5383,4 +5383,31 @@ func Test_scriplocal_autoload_func()
   let &rtp = save_rtp
 endfunc
 
+" Issue #17907
+func Test_omni_start_invalid_col()
+  func OmniFunc(startcol, findstart, base)
+    if a:findstart
+      return a:startcol
+    else
+      return ['foo', 'foobar']
+    endif
+  endfunc
+
+  new
+  set complete=o
+  set omnifunc=funcref('OmniFunc',\ [-1])
+  call setline(1, ['baz '])
+  call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+  call assert_equal('baz foo', getline(1))
+
+  set omnifunc=funcref('OmniFunc',\ [1000])
+  call setline(1, ['bar '])
+  call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+  call assert_equal('bar foo', getline(1))
+  bw!
+
+  delfunc OmniFunc
+  set omnifunc& complete&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab nofoldenable

diff --git a/src/version.c b/src/version.c
index c459d7c777a7575bd190aac2aa9c8dfa62fec7dc..4abf6025d2aa6b6a6a1fcc9dd59082247423ddbc 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1609,
 /**/
     1608,
 /**/