Commit: patch 9.1.1609: complete: Heap-buffer overflow with complete function

[Christian Brabandt]

patch 9.1.1609: complete: Heap-buffer overflow with complete function

Commit: https://github.com/vim/vim/commit/761ea77670c4fdb96d6c6fb7d4db6dc77eb8095f
Author: Girish Palya <giri...@gmail.com>
Date: Fri Aug 8 15:42:27 2025 +0200

patch 9.1.1609: complete: Heap-buffer overflow with complete function

Problem: complete: Heap-buffer overflow with complete function
(zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).

fixes: #17907
closes: #17934

Co-authored-by: zeertzjq <zeer...@outlook.com>
Co-authored-by: Hirohito Higashi <h.eas...@gmail.com>
Signed-off-by: Girish Palya <giri...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/insexpand.c b/src/insexpand.c
index 03d946bb8..5b4afb9e4 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -247,7 +247,6 @@ typedef struct cpt_source_T
#endif
} cpt_source_T;

-#define STARTCOL_NONE -9
static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources
static int cpt_sources_count; // Total number of completion sources specified in the 'cpt' option
static int cpt_sources_index = -1; // Index of the current completion source being expanded
@@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
else
startcol = -2;
}
+ else if (startcol < 0 || startcol > curwin->w_cursor.col)
+ startcol = curwin->w_cursor.col;
cpt_sources_array[idx].cs_startcol = startcol;
}
else
- cpt_sources_array[idx].cs_startcol = STARTCOL_NONE;
+ cpt_sources_array[idx].cs_startcol = -3;

(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
idx++;
@@ -7495,6 +7496,8 @@ cpt_compl_refresh(void)
else
startcol = -2;
}
+ else if (startcol < 0 || startcol > curwin->w_cursor.col)
+ startcol = curwin->w_cursor.col;
cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
if (ret == OK)
{
@@ -7502,9 +7505,6 @@ cpt_compl_refresh(void)
get_cpt_func_completion_matches(cb);
}
}
- else
- cpt_sources_array[cpt_sources_index].cs_startcol
- = STARTCOL_NONE;
}

(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
diff --git a/src/testdir/test_ins_complete.vim b/src/testdir/test_ins_complete.vim
index 4ec1f357e..560b2c424 100644
--- a/src/testdir/test_ins_complete.vim
+++ b/src/testdir/test_ins_complete.vim
@@ -5383,4 +5383,31 @@ func Test_scriplocal_autoload_func()
let &rtp = save_rtp
endfunc

+" Issue #17907
+func Test_omni_start_invalid_col()
+ func OmniFunc(startcol, findstart, base)
+ if a:findstart
+ return a:startcol
+ else
+ return ['foo', 'foobar']
+ endif
+ endfunc
+
+ new
+ set complete=o
+ set omnifunc=funcref('OmniFunc',\ [-1])
+ call setline(1, ['baz '])
+ call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+ call assert_equal('baz foo', getline(1))
+
+ set omnifunc=funcref('OmniFunc',\ [1000])
+ call setline(1, ['bar '])
+ call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+ call assert_equal('bar foo', getline(1))
+ bw!
+
+ delfunc OmniFunc
+ set omnifunc& complete&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab nofoldenable
diff --git a/src/version.c b/src/version.c
index c459d7c77..4abf6025d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1609,
/**/
1608,
/**/