patch 9.1.1609: complete: Heap-buffer overflow with complete function

Problem:  complete: Heap-buffer overflow with complete function
          (zeertzjq)
Solution: Do not let startcol become negative (Girish Palya).

fixes: #17907
closes: #17934

Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Girish Palya <girishji@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/insexpand.c

@@ -247,7 +247,6 @@ typedef struct cpt_source_T
 #endif
 } cpt_source_T;
 
-#define STARTCOL_NONE	-9
 static cpt_source_T *cpt_sources_array; // Pointer to the array of completion sources
 static int	    cpt_sources_count;  // Total number of completion sources specified in the 'cpt' option
 static int	    cpt_sources_index = -1;  // Index of the current completion source being expanded
@@ -5368,10 +5367,12 @@ prepare_cpt_compl_funcs(void)
 		else
 		    startcol = -2;
 	    }
+	    else if (startcol < 0 || startcol > curwin->w_cursor.col)
+		startcol = curwin->w_cursor.col;
 	    cpt_sources_array[idx].cs_startcol = startcol;
 	}
 	else
-	    cpt_sources_array[idx].cs_startcol = STARTCOL_NONE;
+	    cpt_sources_array[idx].cs_startcol = -3;
 
 	(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p
 	idx++;
@@ -7495,6 +7496,8 @@ cpt_compl_refresh(void)
 		    else
 			startcol = -2;
 		}
+		else if (startcol < 0 || startcol > curwin->w_cursor.col)
+		    startcol = curwin->w_cursor.col;
 		cpt_sources_array[cpt_sources_index].cs_startcol = startcol;
 		if (ret == OK)
 		{
@@ -7502,9 +7505,6 @@ cpt_compl_refresh(void)
 		    get_cpt_func_completion_matches(cb);
 		}
 	    }
-	    else
-		cpt_sources_array[cpt_sources_index].cs_startcol
-		    = STARTCOL_NONE;
 	}
 
 	(void)copy_option_part(&p, IObuff, IOSIZE, ","); // Advance p