From 8707ec264462b66ff9243f40365d6d24ed2f7f6d Mon Sep 17 00:00:00 2001
From: gcrtnst <52910071+gcrtnst@users.noreply.github.com>
Date: Tue, 6 May 2025 21:20:03 +0900
Subject: [PATCH] fix(termkey): out-of-bounds write in array #33868

Problem:
termkey crashes due to an out-of-bounds write in an array when it
received a CSI sequence with 17 or more arguments. This could be
observed on startup with certain terminal emulators like [RLogin], which
send a response to the `CSI c` query containing 17 parameters.

The termkey code has a boundary check, but its comparison operator is
incorrect.

Solution:
Correct the comparison operator to ensure proper boundary checking.

With this change, I have confirmed that the crash no longer occurs on
RLogin. https://github.com/kmiya-culti/RLogin

Fixes #24356
---
 src/nvim/tui/termkey/driver-csi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/nvim/tui/termkey/driver-csi.c b/src/nvim/tui/termkey/driver-csi.c
index d427be50ff..f8e503a9d2 100644
--- a/src/nvim/tui/termkey/driver-csi.c
+++ b/src/nvim/tui/termkey/driver-csi.c
@@ -507,7 +507,7 @@ static TermKeyResult parse_csi(TermKey *tk, size_t introlen, size_t *csi_len,
       present = 0;
       argi++;
 
-      if (argi > 16) {
+      if (argi >= 16) {
         break;
       }
     } else if (c >= 0x20 && c <= 0x2f) {