From 06144afb712dcb910eab9626d23945d4ba313da8 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 29 Oct 2022 08:03:32 +0800
Subject: [PATCH] fix: avoid unsigned overflow in home_replace()

(cherry picked from commit d3ac297554371266b8b976cfee80d10c62802862)
---
 src/nvim/os/env.c                       | 6 ++++++
 test/functional/editor/tabpage_spec.lua | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/src/nvim/os/env.c b/src/nvim/os/env.c
index bd79b43574..faafc546a4 100644
--- a/src/nvim/os/env.c
+++ b/src/nvim/os/env.c
@@ -1119,10 +1119,16 @@ size_t home_replace(const buf_T *const buf, const char *src, char *const dst, si
       len = envlen;
     }
 
+    if (dstlen == 0) {
+      break;  // Avoid overflowing below.
+    }
     // if (!one) skip to separator: space or comma.
     while (*src && (one || (*src != ',' && *src != ' ')) && --dstlen > 0) {
       *dst_p++ = *src++;
     }
+    if (dstlen == 0) {
+      break;  // Avoid overflowing below.
+    }
     // Skip separator.
     while ((*src == ' ' || *src == ',') && --dstlen > 0) {
       *dst_p++ = *src++;
diff --git a/test/functional/editor/tabpage_spec.lua b/test/functional/editor/tabpage_spec.lua
index f8ca6986bd..a7f629a76b 100644
--- a/test/functional/editor/tabpage_spec.lua
+++ b/test/functional/editor/tabpage_spec.lua
@@ -144,4 +144,10 @@ describe('tabpage', function()
     command('     silent      :keepalt   :: :::    silent!    -2    tabmove')
     eq(1, funcs.nvim_tabpage_get_number(0))
   end)
+
+  it(':tabs does not overflow IObuff with long path with comma #20850', function()
+    meths.buf_set_name(0, ('x'):rep(1024) .. ',' .. ('x'):rep(1024))
+    command('tabs')
+    assert_alive()
+  end)
 end)