averello/macvim-mirror
1
0
Fork 0
mirror of https://github.com/macvim-dev/macvim.git synced 2026-05-28 00:21:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.2.0185: buffer overflow when redrawing custom tabline

Browse Source 
Problem:  When drawing a custom tabline, if topframe->fr_width is
          larger than Columns (possible during tab closure with
          showtabpanel=1), Vim writes past the end of the
          TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
          never accessed out-of-bounds (thinca).

closes: #19725

Supported by AI

Signed-off-by: thinca <thinca@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
thinca
2026-03-17 18:52:58 +00:00
committed by Christian Brabandt
parent 3f53a2ce2f
commit ed7c7fb225
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/screen.c
+7 -2
View File
@@ -1439,6 +1439,9 @@ win_redr_custom(
if (wp == NULL)
{
// Fill the TabPageIdxs[] array for clicking in the tab pagesline.
int end_col = firstwin->w_wincol + topframe->fr_width;
if (end_col > Columns)
end_col = Columns;
col = firstwin->w_wincol;
len = 0;
p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
for (n = 0; tabtab[n].start != NULL; n++)
{
len += vim_strnsize(p, (int)(tabtab[n].start - p));
while (col < len)
while (col < len && col < end_col)
TabPageIdxs[col++] = fillchar;
if (col >= end_col)
break;
p = tabtab[n].start;
fillchar = tabtab[n].userhl;
}
while (col < firstwin->w_wincol + topframe->fr_width)
while (col < end_col)
TabPageIdxs[col++] = fillchar;
}
src/testdir/test_tabline.vim
+14
View File
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
call RunVim([], [], "-e -s -S Xclickscript -c qa")
endfunc
func Test_tabline_TabPageIdxs_overflow()
" Regression: TabPageIdxs[] overflow when closing a tab with custom
" 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
" could exceed Columns).
CheckFeature tabpanel
let before = [
\ 'set showtabpanel=1',
\ 'set tabline=foo',
\ 'call feedkeys(":qa!\<CR>")',
\ ]
call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
call assert_equal(0, v:shell_error, 'Vim subprocess must not crash (TabPageIdxs overflow)')
endfunc
func Test_tabline_showcmd()
CheckScreendump
src/version.c
+2
View File
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
185,
/**/
184,
/**/