From aab7129abe39d3433facb9994998bede3a4299e1 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 15 Mar 2025 08:16:28 +0800
Subject: [PATCH] vim-patch:9.0.1458: buffer overflow when expanding long file
 name

Problem:    Buffer overflow when expanding long file name.
Solution:   Use a larger buffer and avoid overflowing it. (Yee Cheng Chin,
            closes vim/vim#12201)

https://github.com/vim/vim/commit/a77670726e3706973adffc2b118f4576e1f58ea0

Co-authored-by: Yee Cheng Chin <ychin.git@gmail.com>
(cherry picked from commit b0b61c42b3abc9fbbe7f3b06914f8022a6154598)
---
 src/nvim/path.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/nvim/path.c b/src/nvim/path.c
index b412ce6313..eeef8a2ffd 100644
--- a/src/nvim/path.c
+++ b/src/nvim/path.c
@@ -633,7 +633,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
 
   // Make room for file name.  When doing encoding conversion the actual
   // length may be quite a bit longer, thus use the maximum possible length.
-  const size_t buflen = MAXPATHL;
+  const size_t buflen = strlen(path) + MAXPATHL;
   char *buf = xmalloc(buflen);
 
   // Find the first part in the path name that contains a wildcard.
@@ -746,7 +746,7 @@ static size_t do_path_expand(garray_T *gap, const char *path, size_t wildoff, in
           && ((regmatch.regprog != NULL && vim_regexec(&regmatch, name, 0))
               || ((flags & EW_NOTWILD)
                   && path_fnamencmp(path + (s - buf), name, (size_t)(e - s)) == 0))) {
-        STRCPY(s, name);
+        xstrlcpy(s, name, buflen - (size_t)(s - buf));
         len = strlen(buf);
 
         if (starstar && stardepth < 100) {