patch 9.2.0348: potential buffer underrun when setting statusline like option
Commit: https://github.com/vim/vim/commit/91b402f57575ed33649285043a3c631701165f4a Author: Christian Brabandt <[email protected]> Date: Tue Apr 14 18:18:36 2026 +0000 patch 9.2.0348: potential buffer underrun when setting statusline like option Problem: potential buffer underrun when settings statusline like option (q1uf3ng) Solution: Validate that p > out before accessing p[-1] closes: #19961 Signed-off-by: Christian Brabandt <[email protected]> diff --git a/src/buffer.c b/src/buffer.c index cbee49e1a..20f8dcc45 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -5028,7 +5028,7 @@ build_stl_str_hl_local( if (*s != '}') // missing '}' or out of space break; s++; - if (reevaluate) + if (reevaluate && p > out) p[-1] = NUL; // remove the % at the end of %{% expr %} else *p = NUL; diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim index 7dbb1d208..270f1ddbc 100644 --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim @@ -5390,4 +5390,14 @@ func Test_breaklist_args_fails() call assert_fails(':breaklist extra', 'E488:') endfunc +func Test_rulerformat_empty() + set ruler rulerformat=%!'%{}%' + try + redraw + catch + endtry + set ruler& + set rulerformat& +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim index d33c06252..7bd07ca0b 100644 --- a/src/testdir/test_options.vim +++ b/src/testdir/test_options.vim @@ -870,9 +870,6 @@ func Test_set_option_errors() call assert_fails('set commentstring=x', 'E537:') call assert_fails('let &commentstring = "x"', 'E537:') call assert_fails('set complete=x', 'E539:') - call assert_fails('set rulerformat=%-', 'E539:') - call assert_fails('set rulerformat=%(', 'E542:') - call assert_fails('set rulerformat=%15(%%', 'E542:') " Test for 'statusline' errors call assert_fails('set statusline=%$', 'E539:') @@ -890,6 +887,11 @@ func Test_set_option_errors() call assert_fails('set tabline=%(', 'E542:') call assert_fails('set tabline=%)', 'E542:') + " Test for 'rulerformat' errors + call assert_fails('set rulerformat=%-', 'E539:') + call assert_fails('set rulerformat=%(', 'E542:') + call assert_fails('set rulerformat=%15(%%', 'E542:') + if has('cursorshape') " This invalid value for 'guicursor' used to cause Vim to crash. call assert_fails('set guicursor=i-ci,r-cr:h', 'E545:') diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim index 27fef946a..6936ca807 100644 --- a/src/testdir/test_statusline.vim +++ b/src/testdir/test_statusline.vim @@ -930,4 +930,14 @@ func Test_tabline_click_handler() endif endfunc +func Test_statusline_empty() + set laststatus=2 statusline=%!'%{}%' + try + redraw! + catch + endtry + set laststatus& + set statusline& +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim index 21f66cfcd..7ae060248 100644 --- a/src/testdir/test_tabline.vim +++ b/src/testdir/test_tabline.vim @@ -250,4 +250,14 @@ func Test_tabline_mouse_enable() endfor endfunc +func Test_tabline_empty() + set showtabline=2 tabline=%!'%{}%' + try + redraw! + catch + endtry + set showtabline& + set tabline& +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim index f983e2b37..4bb7f39eb 100644 --- a/src/testdir/test_tabpanel.vim +++ b/src/testdir/test_tabpanel.vim @@ -923,4 +923,14 @@ func Test_tabpanel_variable_height() %bwipeout! endfunc +func Test_tabpanel_empty() + set showtabpanel=2 tabpanel=%!'%{}%' + try + redraw! + catch + endtry + set showtabpanel& + set tabpanel& +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 63d8715aa..dec32640e 100644 --- a/src/version.c +++ b/src/version.c @@ -734,6 +734,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 348, /**/ 347, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1wCiWT-002f2c-I0%40256bit.org.
