From 51f0bfb88a3554ca2dde777d78a59880d1ee37a8 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 17 May 2022 20:11:02 +0100
Subject: [PATCH] patch 8.2.4975: recursive command line loop may cause a crash

Problem:    Recursive command line loop may cause a crash.
Solution:   Limit recursion of getcmdline().
---
 src/ex_getln.c               | 12 ++++++++++++
 src/testdir/test_cmdline.vim | 12 ++++++++++++
 src/version.c                |  2 ++
 3 files changed, 26 insertions(+)

diff --git a/src/ex_getln.c b/src/ex_getln.c
index cbddfea00375f..6462b00f732f9 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1581,6 +1581,7 @@ getcmdline_int(
     int		indent,		// indent for inside conditionals
     int		clear_ccline)	// clear ccline first
 {
+    static int	depth = 0;	    // call depth
     int		c;
     int		i;
     int		j;
@@ -1611,6 +1612,9 @@ getcmdline_int(
     int		cmdline_type;
     int		wild_type;
 
+    // one recursion level deeper
+    ++depth;
+
     if (ccline.cmdbuff != NULL)
     {
 	// Being called recursively.  Since ccline is global, we need to save
@@ -1641,6 +1645,13 @@ getcmdline_int(
     if (init_ccline(firstc, indent) != OK)
 	goto theend;	// out of memory
 
+    if (depth == 50)
+    {
+	// Somehow got into a loop recursively calling getcmdline(), bail out.
+	emsg(_(e_command_too_recursive));
+	goto theend;
+    }
+
     ExpandInit(&xpc);
     ccline.xpc = &xpc;
 
@@ -2576,6 +2587,7 @@ getcmdline_int(
     {
 	char_u *p = ccline.cmdbuff;
 
+	--depth;
 	if (did_save_ccline)
 	    restore_cmdline(&save_ccline);
 	else
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index e944f8d24d022..cc7fe54d60673 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -3392,4 +3392,16 @@ func Test_screenpos_and_completion()
   call feedkeys(":let a\<C-R>=Check_completion()\<CR>\<Esc>", "xt")
 endfunc
 
+func Test_recursive_register()
+  let @= = ''
+  silent! ?e/
+  let caught = 'no'
+  try
+    normal // 
+  catch /E169:/
+    let caught = 'yes'
+  endtry
+  call assert_equal('yes', caught)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 98bb40d1166db..8d901e4cc42bc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -746,6 +746,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4975,
 /**/
     4974,
 /**/