From aeabd8e2455b979c70277ea83eb9f3375a37bc6f Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Wed, 3 Apr 2024 05:53:08 +0800
Subject: vim-patch:9.1.0254: [security]: Heap buffer overflow when calling
 complete_add() in 'cfu'

Problem:  [security]: Heap buffer overflow when calling complete_add()
          in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)

closes: vim/vim#14391

https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
---
 src/nvim/insexpand.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/insexpand.c b/src/nvim/insexpand.c
index fe5faf8c10..7feb4f6661 100644
--- a/src/nvim/insexpand.c
+++ b/src/nvim/insexpand.c
@@ -2435,7 +2435,8 @@ static void expand_by_function(int type, char *base)
   }
   textlock--;
 
-  curwin->w_cursor = pos;       // restore the cursor position
+  curwin->w_cursor = pos;  // restore the cursor position
+  check_cursor(curwin);  // make sure cursor position is valid, just in case
   validate_cursor(curwin);
   if (!equalpos(curwin->w_cursor, pos)) {
     emsg(_(e_compldel));
@@ -4059,6 +4060,7 @@ static int get_userdefined_compl_info(colnr_T curs_col)
 
   State = save_State;
   curwin->w_cursor = pos;  // restore the cursor position
+  check_cursor(curwin);  // make sure cursor position is valid, just in case
   validate_cursor(curwin);
   if (!equalpos(curwin->w_cursor, pos)) {
     emsg(_(e_compldel));
-- 
cgit