From c95bc3349b6df13d8a4b5c1c7f3440e4578b266c Mon Sep 17 00:00:00 2001
From: Thiago de Arruda <tpadilha84@gmail.com>
Date: Tue, 28 Oct 2014 09:17:57 -0300
Subject: [PATCH] input: Fix conversion error in `convert_input()`

The `rbuffer_consumed` was being passed a consumed count from another buffer,
causing integer overflow in `rbuffer_relocate`.

Fixes #1343
---
 src/nvim/os/input.c   | 16 +++++++++++-----
 src/nvim/os/rstream.c |  1 +
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/nvim/os/input.c b/src/nvim/os/input.c
index 2c8026d099..e4501aeb82 100644
--- a/src/nvim/os/input.c
+++ b/src/nvim/os/input.c
@@ -1,3 +1,4 @@
+#include <assert.h>
 #include <string.h>
 #include <stdint.h>
 #include <stdbool.h>
@@ -237,18 +238,23 @@ static void convert_input(void)
 
   if (convert) {
     // Perform input conversion according to `input_conv`
-    size_t unconverted_length;
+    size_t unconverted_length = 0;
     data = (char *)string_convert_ext(&input_conv,
                                       (uint8_t *)data,
                                       (int *)&converted_length,
                                       (int *)&unconverted_length);
-    data_length = rbuffer_pending(read_buffer) - unconverted_length;
+    data_length -= unconverted_length;
   }
 
-  // Write processed data to input buffer
-  size_t consumed = rbuffer_write(input_buffer, data, data_length);
+  // The conversion code will be gone eventually, for now assume `input_buffer`
+  // always has space for the converted data(it's many times the size of
+  // `read_buffer`, so it's hard to imagine a scenario where the converted data
+  // doesn't fit)
+  assert(converted_length <= rbuffer_available(input_buffer));
+  // Write processed data to input buffer.
+  (void)rbuffer_write(input_buffer, data, converted_length);
   // Adjust raw buffer pointers
-  rbuffer_consumed(read_buffer, consumed);
+  rbuffer_consumed(read_buffer, data_length);
 
   if (convert) {
     // data points to memory allocated by `string_convert_ext`, free it.
diff --git a/src/nvim/os/rstream.c b/src/nvim/os/rstream.c
index d96b3d931c..beff404fd0 100644
--- a/src/nvim/os/rstream.c
+++ b/src/nvim/os/rstream.c
@@ -396,6 +396,7 @@ static void close_cb(uv_handle_t *handle)
 
 static void rbuffer_relocate(RBuffer *rbuffer)
 {
+  assert(rbuffer->rpos <= rbuffer->wpos);
   // Move data ...
   memmove(
       rbuffer->data,  // ...to the beginning of the buffer(rpos 0)