From 86eb339120d630aa5a4ab977d875b8acc701593c Mon Sep 17 00:00:00 2001
From: Michael Ennen <mike.ennen@gmail.com>
Date: Thu, 21 Apr 2016 12:25:44 -0700
Subject: vim-patch: 7.4.1086 #4626

Problem:    Crash with an extremely long buffer name.
Solution:   Limit the return value of vim_snprintf(). (Dominique Pelle)

https://github.com/vim/vim/commit/507edf63df75fe228e0f76b845b58d60266e65d8
---
 src/nvim/buffer.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'src/nvim/buffer.c')

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index b00f5e8e5b..72716daf0e 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -2195,15 +2195,16 @@ void buflist_list(exarg_T *eap)
     len = vim_snprintf((char *)IObuff, IOSIZE - 20, "%3d%c%c%c%c%c \"%s\"",
         buf->b_fnum,
         buf->b_p_bl ? ' ' : 'u',
-        buf == curbuf ? '%' :
-        (curwin->w_alt_fnum == buf->b_fnum ? '#' : ' '),
-        buf->b_ml.ml_mfp == NULL ? ' ' :
-        (buf->b_nwindows == 0 ? 'h' : 'a'),
+        buf == curbuf ? '%' : (curwin->w_alt_fnum == buf->b_fnum ? '#' : ' '),
+        buf->b_ml.ml_mfp == NULL ? ' ' : (buf->b_nwindows == 0 ? 'h' : 'a'),
         !MODIFIABLE(buf) ? '-' : (buf->b_p_ro ? '=' : ' '),
-        (buf->b_flags & BF_READERR) ? 'x'
-        : (bufIsChanged(buf) ? '+' : ' '),
+        (buf->b_flags & BF_READERR) ? 'x' : (bufIsChanged(buf) ? '+' : ' '),
         NameBuff);
 
+    if (len > IOSIZE - 20) {
+        len = IOSIZE - 20;
+    }
+
     /* put "line 999" in column 40 or after the file name */
     i = 40 - vim_strsize(IObuff);
     do {
-- 
cgit