vim-patch:9.2.0293: :packadd may lead to heap-buffer-overflow

Problem:  :packadd may lead to heap-buffer-overflow when all entries in
          'runtimepath' have the same length (after 9.2.0291).
Solution: Check for comma after current entry properly (zeertzjq).

related: vim/vim#19854
closes:  vim/vim#19911

bc182ae56e

src/nvim/runtime.c

@@ -1076,7 +1076,7 @@ static int add_pack_dir_to_rtp(char *fname, bool is_pack)
     buf.size = copy_option_part((char **)&entry, buf.data, MAXPATHL, ",");
 
     // keep track of p_rtp length as we go to make the strlen() below have less work to do
-    p_rtp_len += (*(p_rtp + buf.size) == ',') ? buf.size + 1 : buf.size;
+    p_rtp_len += (*(cur_entry + buf.size) == ',') ? buf.size + 1 : buf.size;
 
     char *p = strstr(buf.data, "after");
     bool is_after = p != NULL

test/old/testdir/test_packadd.vim

@@ -27,6 +27,13 @@ func Test_packadd()
   " plugdir should be inserted before plugdir/after
   call assert_match('^nosuchdir,' . s:plugdir . ',', &rtp)
 
+  " This used to cause heep-buffer-overflow
+  " All existing entries in 'rtp' have the same length here
+  let &rtp = 'Xfoodir,Xbardir,Xbazdir'
+  packadd mytest
+  " plugdir should be inserted after the existing directories
+  call assert_match('^Xfoodir,Xbardir,Xbazdir,' .. s:plugdir .. ',', &rtp)
+
   set rtp&
   let rtp = &rtp
   filetype on