From 6c9a5743a0c296e74a48368a65783b9d49e6f702 Mon Sep 17 00:00:00 2001
From: Thomas Vigouroux <39092278+vigoux@users.noreply.github.com>
Date: Wed, 22 Apr 2020 18:54:56 +0200
Subject: [PATCH] treesitter: check for integer overflow (#12135)

Sometimes treesitter calls for an invalid column within a line, checking
that the column is actually valid and forcing the value avoids an
integer overflow and an infinite sequence of invalid reads.

Fixes #12131
---
 src/nvim/lua/treesitter.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/nvim/lua/treesitter.c b/src/nvim/lua/treesitter.c
index 4753df7b87..51d9549033 100644
--- a/src/nvim/lua/treesitter.c
+++ b/src/nvim/lua/treesitter.c
@@ -271,17 +271,22 @@ static const char *input_cb(void *payload, uint32_t byte_index,
   }
   char_u *line = ml_get_buf(bp, position.row+1, false);
   size_t len = STRLEN(line);
-  size_t tocopy = MIN(len-position.column, BUFSIZE);
 
-  memcpy(buf, line+position.column, tocopy);
-  // Translate embedded \n to NUL
-  memchrsub(buf, '\n', '\0', tocopy);
-  *bytes_read = (uint32_t)tocopy;
-  if (tocopy < BUFSIZE) {
-    // now add the final \n. If it didn't fit, input_cb will be called again
-    // on the same line with advanced column.
-    buf[tocopy] = '\n';
-    (*bytes_read)++;
+  if (position.column > len) {
+    *bytes_read = 0;
+  } else {
+    size_t tocopy = MIN(len-position.column, BUFSIZE);
+
+    memcpy(buf, line+position.column, tocopy);
+    // Translate embedded \n to NUL
+    memchrsub(buf, '\n', '\0', tocopy);
+    *bytes_read = (uint32_t)tocopy;
+    if (tocopy < BUFSIZE) {
+      // now add the final \n. If it didn't fit, input_cb will be called again
+      // on the same line with advanced column.
+      buf[tocopy] = '\n';
+      (*bytes_read)++;
+    }
   }
   return buf;
 #undef BUFSIZE