patch 9.1.1609: complete: Heap-buffer overflow with complete function
Commit:
https://github.com/vim/vim/commit/761ea77670c4fdb96d6c6fb7d4db6dc77eb8095f
Author: Girish Palya <giris...@gmail.com>
Date: Fri Aug 8 15:42:27 2025 +0200
patch 9.1.1609: complete: Heap-buffer overflow with complete function
Problem: complete: Heap-buffer overflow with complete function
(zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).
fixes: #17907
closes: #17934
Co-authored-by: zeertzjq <zeert...@outlook.com>
Co-authored-by: Hirohito Higashi <h.east....@gmail.com>
Signed-off-by: Girish Palya <giris...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/insexpand.c b/src/insexpand.c
index 03d946bb8..5b4afb9e4 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -247,7 +247,6 @@ typedef struct cpt_source_T
#endif
} cpt_source_T;
-#define STARTCOL_NONE -9
static cpt_source_T *cpt_sources_array; // Pointer to the array of completion
sources
static int cpt_sources_count; // Total number of completion sources
specified in the 'cpt' option
static int cpt_sources_index = -1; // Index of the current completion
source being expanded
@@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
else
startcol = -2;
}
+ else if (startcol < 0 || startcol > curwin->w_cursor.col)
+ startcol = curwin->w_cursor.col;
cpt_sources_array[idx].cs_startcol = startcol;
}
else
- cpt_sources_array[idx].cs_startcol = STARTCOL_NONE;
+ cpt_sources_array[idx].cs_startcol = -3;
(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
idx++;
@@ -7495,6 +7496,8 @@ cpt_compl_refresh(void)
else
startcol = -2;
}
+ else if (startcol < 0 || startcol > curwin->w_cursor.col)
+ startcol = curwin->w_cursor.col;
cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
if (ret == OK)
{
@@ -7502,9 +7505,6 @@ cpt_compl_refresh(void)
get_cpt_func_completion_matches(cb);
}
}
- else
- cpt_sources_array[cpt_sources_index].cs_startcol
- = STARTCOL_NONE;
}
(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
diff --git a/src/testdir/test_ins_complete.vim
b/src/testdir/test_ins_complete.vim
index 4ec1f357e..560b2c424 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -5383,4 +5383,31 @@ func Test_scriplocal_autoload_func()
let &rtp = save_rtp
endfunc
+" Issue #17907
+func Test_omni_start_invalid_col()
+ func OmniFunc(startcol, findstart, base)
+ if a:findstart
+ return a:startcol
+ else
+ return ['foo', 'foobar']
+ endif
+ endfunc
+
+ new
+ set complete=o
+ set omnifunc=funcref('OmniFunc',\ [-1])
+ call setline(1, ['baz '])
+ call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+ call assert_equal('baz foo', getline(1))
+
+ set omnifunc=funcref('OmniFunc',\ [1000])
+ call setline(1, ['bar '])
+ call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+ call assert_equal('bar foo', getline(1))
+ bw!
+
+ delfunc OmniFunc
+ set omnifunc& complete&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index c459d7c77..4abf6025d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1609,
/**/
1608,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1ukNdd-002XmI-6C%40256bit.org.
