vim-patch:9.0.1458: buffer overflow when expanding long file name

Problem:    Buffer overflow when expanding long file name.
Solution:   Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
            closes vim/vim#12201)

https://github.com/vim/vim/commit/a77670726e3706973adffc2b118f4576e1f58ea0

Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/nvim/path.c b/src/nvim/path.c
index d92b9c0f7e..7d623261d2 100644
--- a/src/nvim/path.c
+++ b/src/nvim/path.c
@@ -627,7 +627,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
 
   // Make room for file name.  When doing encoding conversion the actual
   // length may be quite a bit longer, thus use the maximum possible length.
-  const size_t buflen = MAXPATHL;
+  const size_t buflen = strlen(path) + MAXPATHL;
   char *buf = xmalloc(buflen);
 
   // Find the first part in the path name that contains a wildcard.
@@ -740,7 +740,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
           && ((regmatch.regprog != NULL && vim_regexec(&regmatch, name, 0))
               || ((flags & EW_NOTWILD)
                   && path_fnamencmp(path + (s - buf), name, (size_t)(e - s)) == 0))) {
-        STRCPY(s, name);
+        xstrlcpy(s, name, buflen - (size_t)(s - buf));
         len = strlen(buf);
 
         if (starstar && stardepth < 100) {