patch 9.1.2139: Buffer overflow in :wlrestore command
Commit:
https://github.com/vim/vim/commit/2498a460e2ab4b0452acfa96a42260667c63b93b
Author: Christian Brabandt <[email protected]>
Date: Sat Feb 7 15:07:32 2026 +0000
patch 9.1.2139: Buffer overflow in :wlrestore command
Problem: Buffer overflow in :wlrestore command, caused by assuming
wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
to properly truncate long messages.
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 843868c20..989c7c07b 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52517,4 +52517,10 @@ Problem: With 'autochdir' win_execute() can corrupt
the buffer name, causing
:write to use wrong path.
Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
+Patch 9.1.2139
+Problem: Buffer overflow in :wlrestore command, caused by assuming
+ wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+ to properly truncate long messages.
+
vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/testdir/test_wayland.vim b/src/testdir/test_wayland.vim
index 155172a0f..c18b6b5d0 100644
--- a/src/testdir/test_wayland.vim
+++ b/src/testdir/test_wayland.vim
@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
endfunc
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+ exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 0a395c50e..a892d87c7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2139,
/**/
2138,
/**/
diff --git a/src/wayland.c b/src/wayland.c
index 4db13c4c0..6461337aa 100644
--- a/src/wayland.c
+++ b/src/wayland.c
@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
return;
vim_strncpy((char_u*)buf, (char_u*)prefix, len);
- vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+ vim_vsnprintf(buf + len, 512 - len, fmt, args);
// Remove newline that libwayland puts
buf[STRLEN(buf) - 1] = NUL;
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1vok1X-000F8l-UL%40256bit.org.
