commit 82a96e3dc0ee8f45bb0c1fe17a0cec1db7582e8f
author jinyaoguo <guo846@purdue.edu> Mon Jun 09 20:31:17 2025 +0200
committer Christian Brabandt <cb@256bit.org> Mon Jun 09 20:31:17 2025 +0200
tree abd53c028a2b00371fe009439682441e8ae8e460
parent 69565e3618209001eeeb6a35f14a19d47aaaa8f8

patch 9.1.1443: potential buffer underflow in insertchar()

Problem:  potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
          (jinyaoguo)

When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.

This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.

closes: #17476

Signed-off-by: jinyaoguo <guo846@purdue.edu>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/edit.c

diff --git a/src/edit.c b/src/edit.c
index b4e6767..9cc55ef 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@
 	    i -= middle_len;
 
 	    // Check some expected things before we go on
-	    if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+	    if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
 	    {
 		// Backspace over all the stuff we want to replace
 		backspace_until_column(i);