patch 9.2.0266: typeahead buffer overflow during mouse drag event
Commit:
https://github.com/vim/vim/commit/8ea5f2774538e8598681339e136223335a184912
Author: Yasuhiro Matsumoto <[email protected]>
Date: Sun Mar 29 09:15:14 2026 +0000
patch 9.2.0266: typeahead buffer overflow during mouse drag event
Problem: typeahead buffer overflow during mouse drag event
Solution: Change the guard from 5 to 10 to account for the worst case
(Yasuhiro Matsumoto).
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes
(3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging,
3+ events could queue up and overflow the 20-byte buffer, corrupting
adjacent static variables and causing garbage bytes (including Ctrl-Z)
to be fed into the input stream, which triggered nv_suspend/ex_stop.
closes: #19851
Signed-off-by: Yasuhiro Matsumoto <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/os_win32.c b/src/os_win32.c
index 431d3b548..edbe895ec 100644
--- a/src/os_win32.c
+++ b/src/os_win32.c
@@ -2424,10 +2424,11 @@ mch_inchar(
# endif
// Keep looping until there is something in the typeahead buffer and more
- // to get and still room in the buffer (up to two bytes for a char and
- // three bytes for a modifier).
+ // to get and still room in the buffer. A mouse event uses up to
+ // 10 bytes: 3 (modifier) + 3 (scroll event) + 4 (coordinates), and a
+ // keyboard input uses up to 7 bytes: 3 (modifier) + 4 (UTF-8 char).
while ((typeaheadlen == 0 || WaitForChar(0L, FALSE))
- && typeaheadlen + 5 + TYPEAHEADSPACE <= TYPEAHEADLEN)
+ && typeaheadlen + 10 + TYPEAHEADSPACE <= TYPEAHEADLEN)
{
if (typebuf_changed(tb_change_cnt))
{
diff --git a/src/version.c b/src/version.c
index 775a09daa..5a1fd0cd7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 266,
/**/
265,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1w6qgQ-00Bkl7-OI%40256bit.org.
