From 82a96e3dc0ee8f45bb0c1fe17a0cec1db7582e8f Mon Sep 17 00:00:00 2001
From: jinyaoguo <guo846@purdue.edu>
Date: Mon, 9 Jun 2025 20:31:17 +0200
Subject: [PATCH] patch 9.1.1443: potential buffer underflow in insertchar()

Problem:  potential buffer underflow in insertchar()
Solution: verify that end_len is larger than zero
          (jinyaoguo)

When parsing the end-comment leader, end_len can be zero if
copy_option_part() writes no characters. The existing check
unconditionally accessed lead_end[end_len-1], causing potential
underflow when end_len == 0.

This change adds an end_len > 0 guard to ensure we only index lead_end
if there is at least one character.

closes: #17476

Signed-off-by: jinyaoguo <guo846@purdue.edu>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/edit.c    | 2 +-
 src/version.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/edit.c b/src/edit.c
index b4e6767f2c..9cc55ef3d7 100644
--- a/src/edit.c
+++ b/src/edit.c
@@ -2197,7 +2197,7 @@ insertchar(
 	    i -= middle_len;
 
 	    // Check some expected things before we go on
-	    if (i >= 0 && lead_end[end_len - 1] == end_comment_pending)
+	    if (i >= 0 && end_len > 0 && lead_end[end_len - 1] == end_comment_pending)
 	    {
 		// Backspace over all the stuff we want to replace
 		backspace_until_column(i);
diff --git a/src/version.c b/src/version.c
index 6e0081e9bb..491b51690e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1443,
 /**/
     1442,
 /**/