From 5182627ce97162b90d8d6c34408c4ce937e1072c Mon Sep 17 00:00:00 2001
From: f380cedric <f380cedric@users.noreply.github.com>
Date: Thu, 27 Jan 2022 14:58:53 +0100
Subject: [PATCH] vim-patch:8.2.3669: buffer overflow with long help argument
 (#16971)

Problem:    Buffer overflow with long help argument.
Solution:   Use snprintf().
https://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142
---
 src/nvim/ex_cmds.c             | 3 +--
 src/nvim/testdir/test_help.vim | 8 ++++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/nvim/ex_cmds.c b/src/nvim/ex_cmds.c
index ca5e14ee63..12598a88d1 100644
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -5071,8 +5071,7 @@ int find_help_tags(const char_u *arg, int *num_matches, char_u ***matches, bool
         && ((arg[1] != NUL && arg[2] == NUL)
             || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
                 && arg[2] != NUL))) {
-      STRCPY(d, "/\\\\");
-      STRCPY(d + 3, arg + 1);
+      vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
       // Check for "/\\_$", should be "/\\_\$"
       if (d[3] == '_' && d[4] == '$') {
         STRCPY(d + 4, "\\$");
diff --git a/src/nvim/testdir/test_help.vim b/src/nvim/testdir/test_help.vim
index 8e59efd22d..977dad6a45 100644
--- a/src/nvim/testdir/test_help.vim
+++ b/src/nvim/testdir/test_help.vim
@@ -101,4 +101,12 @@ func Test_helptag_cmd()
   call delete('Xdir', 'rf')
 endfunc
 
+func Test_help_long_argument()
+  try
+    exe 'help \%' .. repeat('0', 1021)
+  catch
+    call assert_match("E149:", v:exception)
+  endtry
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab