From aeabd8e2455b979c70277ea83eb9f3375a37bc6f Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Wed, 3 Apr 2024 05:53:08 +0800
Subject: vim-patch:9.1.0254: [security]: Heap buffer overflow when calling
 complete_add() in 'cfu'

Problem:  [security]: Heap buffer overflow when calling complete_add()
          in the first call of 'completefunc'
Solution: Call check_cursor() after calling 'completefunc' (zeertzjq)

closes: vim/vim#14391

https://github.com/vim/vim/commit/0a419e07a705675ac159218f42c1daa151d2ceea
---
 test/old/testdir/test_ins_complete.vim | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'test')

diff --git a/test/old/testdir/test_ins_complete.vim b/test/old/testdir/test_ins_complete.vim
index ac04187a7b..3f67a06999 100644
--- a/test/old/testdir/test_ins_complete.vim
+++ b/test/old/testdir/test_ins_complete.vim
@@ -2490,4 +2490,26 @@ func Test_complete_changed_complete_info()
   call StopVimInTerminal(buf)
 endfunc
 
+func Test_completefunc_first_call_complete_add()
+  new
+
+  func Complete(findstart, base) abort
+    if a:findstart
+      let col = col('.')
+      call complete_add('#')
+      return col - 1
+    else
+      return []
+    endif
+  endfunc
+
+  set completeopt=longest completefunc=Complete
+  " This used to cause heap-buffer-overflow
+  call assert_fails('call feedkeys("ifoo#\<C-X>\<C-U>", "xt")', 'E840:')
+
+  delfunc Complete
+  set completeopt& completefunc&
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab nofoldenable
-- 
cgit