patch 9.1.2139: Buffer overflow in :wlrestore command

Problem:  Buffer overflow in :wlrestore command, caused by assuming
          wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
          to properly truncate long messages.

Signed-off-by: Christian Brabandt <cb@256bit.org>

runtime/doc/version9.txt

@@ -52517,4 +52517,10 @@ Problem:  With 'autochdir' win_execute() can corrupt the buffer name, causing
           :write to use wrong path.
 Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
 
+Patch 9.1.2139
+Problem:  Buffer overflow in :wlrestore command, caused by assuming
+          wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+          to properly truncate long messages.
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable

src/testdir/test_wayland.vim

@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
   call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
 endfunc
 
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+  exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2139,
 /**/
     2138,
 /**/

src/wayland.c

@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
 	return;
 
     vim_strncpy((char_u*)buf, (char_u*)prefix, len);
-    vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+    vim_vsnprintf(buf + len, 512 - len, fmt, args);
 
     // Remove newline that libwayland puts
     buf[STRLEN(buf) - 1] = NUL;