[vim/vim] Potential Buffer Overflow in find_pattern_in_path() (Issue #18195)

[BLKHH]

ReBeating created an issue (vim/vim#18195)

Steps to reproduce

In function find_pattern_in_path, vim will reading past end of line with insert mode completion.

aux = p = startp;
if (compl_status_adding())   // Forget to check text length of `p` here
{
    p += ins_compl_len();
    if (vim_iswordp(p))
	goto exit_matched;
    p = find_word_start(p);
}
p = find_word_end(p);

It's better to add check as ins_compl_len() <= (int)STRLEN(p).
This is similar to CVE-2022-2571.
Ref Link: a6f9e30

Expected behaviour

This will cause potential buffer overflow as CVE-2022-2571.

Version of Vim

9.1.1725

Environment

A simple code audit, not implemented.

Logs and stack traces

—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/18195@github.com>

[Christian Brabandt]

chrisbra left a comment (vim/vim#18195)

is this AI generated?

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/18195/3245674871@github.com>

[BLKHH]

ReBeating left a comment (vim/vim#18195)

The code audit was indeed conducted using AI.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/18195/3253319573@github.com>

[Christian Brabandt]

chrisbra left a comment (vim/vim#18195)

I guess this doesn't hurt. Does you AI also provide a test case for this?

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/18195/3255648057@github.com>

[Christian Brabandt]

Closed #18195 as completed via 21ecb0d.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issue/18195/issue_event/19607203299@github.com>