From a6d5778d9b14d6c194d23f01c8ddfdcdc08c7974 Mon Sep 17 00:00:00 2001
From: Julio B <julio.bacel@gmail.com>
Date: Fri, 7 Feb 2025 20:44:49 +0100
Subject: [PATCH] patch 9.1.1082: unexpected DCS responses may cause out of
 bounds reads

Problem:  unexpected DCS responses may cause out of bounds reads
          (after v9.1.1054)
Solution: check that the parsed value is '=' as expected
          (Julio B)

Signed-off-by: Julio B <julio.bacel@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/term.c    | 7 +++++--
 src/version.c | 2 ++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/term.c b/src/term.c
index 4d30ee1ca..318b982d7 100644
--- a/src/term.c
+++ b/src/term.c
@@ -7136,7 +7136,9 @@ req_more_codes_from_term(void)
 }
 
 /*
- * Decode key code response from xterm: '<Esc>P1+r<name>=<string><Esc>\'.
+ * Decode key code response from xterm:
+ * '<Esc>P1+r<name>=<string><Esc>\' if it is enabled/supported
+ * '<Esc>P0+r<Esc>\'                if it not enabled
  * A "0" instead of the "1" indicates a code that isn't supported.
  * Both <name> and <string> are encoded in hex.
  * "code" points to the "0" or "1".
@@ -7152,8 +7154,9 @@ got_code_from_term(char_u *code, int len)
     int		c;
 
     // A '1' means the code is supported, a '0' means it isn't.
+    // If it is supported, there must be a '=' following
     // When half the length is > XT_LEN we can't use it.
-    if (code[0] == '1' && (code[7] || code[9] == '=') && len / 2 < XT_LEN)
+    if (code[0] == '1' && (code[7] == '=' || code[9] == '=') && len / 2 < XT_LEN)
     {
 	// Get the name from the response and find it in the table.
 	name[0] = hexhex2nr(code + 3);
diff --git a/src/version.c b/src/version.c
index 55cbd4fda..35deca863 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1082,
 /**/
     1081,
 /**/