From: Markus Koschany <apo@debian.org>
Date: Wed, 19 Oct 2022 18:47:02 +0200
Subject: CVE-2021-3872

Origin: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
---
 src/screen.c                    | 10 +++++-----
 src/testdir/test_statusline.vim | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)

--- a/src/screen.c
+++ b/src/screen.c
@@ -6887,13 +6887,13 @@ win_redr_status(win_T *wp, int ignore_pu
 	    *(p + len++) = ' ';
 	if (bt_help(wp->w_buffer))
 	{
-	    STRCPY(p + len, _("[Help]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
 	    len += (int)STRLEN(p + len);
 	}
 #ifdef FEAT_QUICKFIX
 	if (wp->w_p_pvw)
 	{
-	    STRCPY(p + len, _("[Preview]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
 	    len += (int)STRLEN(p + len);
 	}
 #endif
@@ -6903,12 +6903,12 @@ win_redr_status(win_T *wp, int ignore_pu
 #endif
 		)
 	{
-	    STRCPY(p + len, "[+]");
-	    len += 3;
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
+	    len += (int)STRLEN(p + len);
 	}
 	if (wp->w_buffer->b_p_ro)
 	{
-	    STRCPY(p + len, _("[RO]"));
+	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
 	    len += (int)STRLEN(p + len);
 	}
 
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -341,3 +341,17 @@ func Test_statusline()
   set laststatus&
   set splitbelow&
 endfunc
+
+
+" CVE-2021-3872
+" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
+function Test_statusline_verylong_filename()
+  let fname = repeat('x', 4090)
+  exe "new " . fname
+  set buftype=help
+  set previewwindow
+  redraw
+  bwipe!
+endfunc
+
+