Commit: patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
1 view
Skip to first unread message
Christian Brabandt
Feb 27, 2026, 4:16:57 PM (5 days ago) Feb 27
to vim...@googlegroups.com
patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
Commit: https://github.com/vim/vim/commit/4e5b9e31cb7484ad156fba995fdce3c9b075b5fd
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Feb 24 20:29:20 2026 +0000
patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
Problem: A stack-buffer-overflow occurs when rendering a statusline
with a multi-byte fill character on a very wide terminal.
The size check in build_stl_str_hl() uses the cell width
rather than the byte length, allowing the subsequent fill
loop to write beyond the 4096-byte MAXPATHL buffer
(ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
the fill character (using MB_CHAR2LEN).
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
index 5a639fcf5..d96f2fdc1 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
}
width = maxwidth;
}
- else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+ else if (width < maxwidth &&
+ outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
{
// Find how many separators there are, which we will use when
// figuring out how many groups there are.
diff --git a/src/version.c b/src/version.c
index 360e31edf..7abc134fc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 78,
/**/
77,
/**/
Commit: https://github.com/vim/vim/commit/4e5b9e31cb7484ad156fba995fdce3c9b075b5fd
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Feb 24 20:29:20 2026 +0000
patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
Problem: A stack-buffer-overflow occurs when rendering a statusline
with a multi-byte fill character on a very wide terminal.
The size check in build_stl_str_hl() uses the cell width
rather than the byte length, allowing the subsequent fill
loop to write beyond the 4096-byte MAXPATHL buffer
(ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
the fill character (using MB_CHAR2LEN).
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
index 5a639fcf5..d96f2fdc1 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
}
width = maxwidth;
}
- else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+ else if (width < maxwidth &&
+ outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
{
// Find how many separators there are, which we will use when
// figuring out how many groups there are.
diff --git a/src/version.c b/src/version.c
index 360e31edf..7abc134fc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 78,
/**/
77,
/**/
Reply all
Reply to author
Forward
0 new messages