patch 9.2.0185: buffer overflow when redrawing custom tabline
Commit:
https://github.com/vim/vim/commit/ed7c7fb2257076181afefe13b8967c9afec9b0d6
Author: thinca <[email protected]>
Date: Tue Mar 17 18:52:58 2026 +0000
patch 9.2.0185: buffer overflow when redrawing custom tabline
Problem: When drawing a custom tabline, if topframe->fr_width is
larger than Columns (possible during tab closure with
showtabpanel=1), Vim writes past the end of the
TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
never accessed out-of-bounds (thinca).
closes: #19725
Supported by AI
Signed-off-by: thinca <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/screen.c b/src/screen.c
index fc99ac372..acef4d38b 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -1439,6 +1439,9 @@ win_redr_custom(
if (wp == NULL)
{
// Fill the TabPageIdxs[] array for clicking in the tab pagesline.
+ int end_col = firstwin->w_wincol + topframe->fr_width;
+ if (end_col > Columns)
+ end_col = Columns;
col = firstwin->w_wincol;
len = 0;
p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
for (n = 0; tabtab[n].start != NULL; n++)
{
len += vim_strnsize(p, (int)(tabtab[n].start - p));
- while (col < len)
+ while (col < len && col < end_col)
TabPageIdxs[col++] = fillchar;
+ if (col >= end_col)
+ break;
p = tabtab[n].start;
fillchar = tabtab[n].userhl;
}
- while (col < firstwin->w_wincol + topframe->fr_width)
+ while (col < end_col)
TabPageIdxs[col++] = fillchar;
}
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index e02e4f303..21f66cfcd 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
call RunVim([], [], "-e -s -S Xclickscript -c qa")
endfunc
+func Test_tabline_TabPageIdxs_overflow()
+ " Regression: TabPageIdxs[] overflow when closing a tab with custom
+ " 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
+ " could exceed Columns).
+ CheckFeature tabpanel
+ let before = [
+ \ 'set showtabpanel=1',
+ \ 'set tabline=foo',
+ \ 'call feedkeys(":qa!\<CR>")',
+ \ ]
+ call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
+ call assert_equal(0, v:shell_error, 'Vim subprocess must not crash
(TabPageIdxs overflow)')
+endfunc
+
func Test_tabline_showcmd()
CheckScreendump
diff --git a/src/version.c b/src/version.c
index 0bfaa8e7a..1f2cf0ec2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 185,
/**/
184,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1w2Ze7-00ALb7-Vb%40256bit.org.
