Commit: patch 9.2.0023: fix integer overflow in ml_append_int() for long lines
0 views
Skip to first unread message
Christian Brabandt
Feb 18, 2026, 5:01:42 PM (2 days ago) Feb 18
to vim...@googlegroups.com
patch 9.2.0023: fix integer overflow in ml_append_int() for long lines
Commit: https://github.com/vim/vim/commit/0ece393844a4433e4dc69cde6fe88f99ed7db100
Author: Christian Brabandt <c...@256bit.org>
Date: Wed Feb 18 21:49:58 2026 +0000
patch 9.2.0023: fix integer overflow in ml_append_int() for long lines
Problem: ml_append_int() crashes when appending lines near MAXCOL
length due to signed integer overflow in space_needed
calculation.
Solution: Change 'space_needed' from int to long to handle the
'len + INDEX_SIZE' computation without overflow. Update
db_free comparison casts from (int) to (long) to match.
Note: supported by AI claude
related: #17935
related: #18953
related: #19332
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/memline.c b/src/memline.c
index 427b64924..604982a90 100644
--- a/src/memline.c
+++ b/src/memline.c
@@ -2941,7 +2941,7 @@ ml_append_int(
int line_count; // number of indexes in current block
int offset;
int from, to;
- int space_needed; // space needed for new line
+ long space_needed; // space needed for new line
int page_size;
int page_count;
int db_idx; // index for lnum in data block
@@ -3018,7 +3018,7 @@ ml_append_int(
* - not appending to the last line in the file
* insert in front of the next block.
*/
- if ((int)dp->db_free < space_needed && db_idx == line_count - 1
+ if ((long)dp->db_free < space_needed && db_idx == line_count - 1
&& lnum < buf->b_ml.ml_line_count)
{
/*
@@ -3041,7 +3041,7 @@ ml_append_int(
++buf->b_ml.ml_line_count;
- if ((int)dp->db_free >= space_needed) // enough room in data block
+ if ((long)dp->db_free >= space_needed) // enough room in data block
{
/*
* Insert the new line in an existing data block, or in the data block
@@ -3142,7 +3142,7 @@ ml_append_int(
data_moved = ((dp->db_index[db_idx]) & DB_INDEX_MASK) -
dp->db_txt_start;
total_moved = data_moved + lines_moved * INDEX_SIZE;
- if ((int)dp->db_free + total_moved >= space_needed)
+ if ((long)dp->db_free + total_moved >= space_needed)
{
in_left = TRUE; // put new line in left block
space_needed = total_moved;
diff --git a/src/version.c b/src/version.c
index b6d79d2cd..965ce4b9e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 23,
/**/
22,
/**/
Commit: https://github.com/vim/vim/commit/0ece393844a4433e4dc69cde6fe88f99ed7db100
Author: Christian Brabandt <c...@256bit.org>
Date: Wed Feb 18 21:49:58 2026 +0000
patch 9.2.0023: fix integer overflow in ml_append_int() for long lines
Problem: ml_append_int() crashes when appending lines near MAXCOL
length due to signed integer overflow in space_needed
calculation.
Solution: Change 'space_needed' from int to long to handle the
'len + INDEX_SIZE' computation without overflow. Update
db_free comparison casts from (int) to (long) to match.
Note: supported by AI claude
related: #17935
related: #18953
related: #19332
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/memline.c b/src/memline.c
index 427b64924..604982a90 100644
--- a/src/memline.c
+++ b/src/memline.c
@@ -2941,7 +2941,7 @@ ml_append_int(
int line_count; // number of indexes in current block
int offset;
int from, to;
- int space_needed; // space needed for new line
+ long space_needed; // space needed for new line
int page_size;
int page_count;
int db_idx; // index for lnum in data block
@@ -3018,7 +3018,7 @@ ml_append_int(
* - not appending to the last line in the file
* insert in front of the next block.
*/
- if ((int)dp->db_free < space_needed && db_idx == line_count - 1
+ if ((long)dp->db_free < space_needed && db_idx == line_count - 1
&& lnum < buf->b_ml.ml_line_count)
{
/*
@@ -3041,7 +3041,7 @@ ml_append_int(
++buf->b_ml.ml_line_count;
- if ((int)dp->db_free >= space_needed) // enough room in data block
+ if ((long)dp->db_free >= space_needed) // enough room in data block
{
/*
* Insert the new line in an existing data block, or in the data block
@@ -3142,7 +3142,7 @@ ml_append_int(
data_moved = ((dp->db_index[db_idx]) & DB_INDEX_MASK) -
dp->db_txt_start;
total_moved = data_moved + lines_moved * INDEX_SIZE;
- if ((int)dp->db_free + total_moved >= space_needed)
+ if ((long)dp->db_free + total_moved >= space_needed)
{
in_left = TRUE; // put new line in left block
space_needed = total_moved;
diff --git a/src/version.c b/src/version.c
index b6d79d2cd..965ce4b9e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 23,
/**/
22,
/**/
Reply all
Reply to author
Forward
0 new messages