patch 9.1.1609: complete: Heap-buffer overflow with complete function

Problem:  complete: Heap-buffer overflow with complete function
          (zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).

fixes: #17907
closes: #17934

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Girish Palya <girishji@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

Author: 3 people

src/insexpand.c

@@ -247,7 +247,6 @@ typedef struct cpt_source_T
 #endif
 } cpt_source_T;
 
-#define STARTCOL_NONE	-9
 static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources
 static int	    cpt_sources_count;  // Total number of completion sources specified in the 'cpt' option
 static int	    cpt_sources_index = -1;  // Index of the current completion source being expanded
@@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
 		else
 		    startcol = -2;
 	    }
+	    else if (startcol < 0 || startcol > curwin->w_cursor.col)
+		startcol = curwin->w_cursor.col;
 	    cpt_sources_array[idx].cs_startcol = startcol;
 	}
 	else
-	    cpt_sources_array[idx].cs_startcol = STARTCOL_NONE;
+	    cpt_sources_array[idx].cs_startcol = -3;
 
 	(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
 	idx++;
@@ -7495,16 +7496,15 @@ cpt_compl_refresh(void)
 		    else
 			startcol = -2;
 		}
+		else if (startcol < 0 || startcol > curwin->w_cursor.col)
+		    startcol = curwin->w_cursor.col;
 		cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
 		if (ret == OK)
 		{
 		    compl_source_start_timer(cpt_sources_index);
 		    get_cpt_func_completion_matches(cb);
 		}
 	    }
-	    else
-		cpt_sources_array[cpt_sources_index].cs_startcol
-		    = STARTCOL_NONE;
 	}
 
 	(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p

src/testdir/test_ins_complete.vim

@@ -5383,4 +5383,31 @@ func Test_scriplocal_autoload_func()
   let &rtp = save_rtp
 endfunc
 
+" Issue #17907
+func Test_omni_start_invalid_col()
+  func OmniFunc(startcol, findstart, base)
+    if a:findstart
+      return a:startcol
+    else
+      return ['foo', 'foobar']
+    endif
+  endfunc
+
+  new
+  set complete=o
+  set omnifunc=funcref('OmniFunc',\ [-1])
+  call setline(1, ['baz '])
+  call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+  call assert_equal('baz foo', getline(1))
+
+  set omnifunc=funcref('OmniFunc',\ [1000])
+  call setline(1, ['bar '])
+  call feedkeys("A\<C-N>\<Esc>0", 'tx!')
+  call assert_equal('bar foo', getline(1))
+  bw!
+
+  delfunc OmniFunc
+  set omnifunc& complete&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab nofoldenable

src/version.c

@@ -719,6 +719,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1609,
 /**/
     1608,
 /**/