From 8b9c902106eaf2d5ee56171f3c5df725b102bcac Mon Sep 17 00:00:00 2001
From: Christian Brabandt <[email protected]>
Date: Sun, 25 Aug 2024 21:33:03 +0200
Subject: [PATCH] patch 9.1.0697: [security]: heap-buffer-overflow in
 ins_typebuf

Problem:  heap-buffer-overflow in ins_typebuf
          (SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
          is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <[email protected]>
---
 src/getchar.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/getchar.c b/src/getchar.c
index da0503370..1b775aaad 100644
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -438,9 +438,18 @@ flush_buffers(flush_buffers_T flush_typeahead)
 
     if (flush_typeahead == FLUSH_MINIMAL)
     {
-	// remove mapped characters at the start only
-	typebuf.tb_off += typebuf.tb_maplen;
-	typebuf.tb_len -= typebuf.tb_maplen;
+	// remove mapped characters at the start only,
+	// but only when enough space left in typebuf
+	if (typebuf.tb_off + typebuf.tb_maplen >= typebuf.tb_buflen)
+	{
+	    typebuf.tb_off = MAXMAPLEN;
+	    typebuf.tb_len = 0;
+	}
+	else
+	{
+	    typebuf.tb_off += typebuf.tb_maplen;
+	    typebuf.tb_len -= typebuf.tb_maplen;
+	}
 #if defined(FEAT_CLIENTSERVER) || defined(FEAT_EVAL)
 	if (typebuf.tb_len == 0)
 	    typebuf_was_filled = FALSE;
-- 
2.41.1