Commit: patch 9.2.0211: possible crash when setting 'winhighlight'
1 view
Skip to first unread message
Christian Brabandt
Mar 20, 2026, 6:02:06 PM (3 days ago) Mar 20
to vim...@googlegroups.com
patch 9.2.0211: possible crash when setting 'winhighlight'
Commit: https://github.com/vim/vim/commit/88cded7ac007981dcab8505d9271c8e9048ab411
Author: Foxe Chen <chen...@gmail.com>
Date: Fri Mar 20 21:45:13 2026 +0000
patch 9.2.0211: possible crash when setting 'winhighlight'
Problem: possible crash when setting 'winhighlight'
Solution: Validate the option value more carefully (Foxe Chen)
closes: #19774
Signed-off-by: Foxe Chen <chen...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/highlight.c b/src/highlight.c
index 9e9830bd7..0accfe9be 100644
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -5630,6 +5630,7 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
hl_override_T *arr;
int i = 0;
int num = 1;
+ int n_colons = 0;
if (*p == NUL)
return NULL;
@@ -5640,6 +5641,19 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
p++;
num++;
}
+ p = opt;
+ // Check if number of ':' matches number of ','
+ while ((p = vim_strchr(p, ':')) != NULL)
+ {
+ p++;
+ n_colons++;
+ }
+
+ if (num != n_colons)
+ {
+ *errmsg = e_invalid_argument;
+ return NULL;
+ }
arr = ALLOC_MULT(hl_override_T, num);
if (arr == NULL)
@@ -5667,6 +5681,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
goto fail;
fromlen = p - fromname; // Get hl for "from"
+ if (fromlen == 0)
+ goto fail;
p++; // Skip colon ':'
if (*p == NUL)
goto fail;
@@ -5683,6 +5699,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
tolen = tmp - toname;
p = ++tmp;
}
+ if (tolen == 0)
+ goto fail;
for (int k = 0; k < 2; k++)
{
diff --git a/src/testdir/util/gen_opt_test.vim b/src/testdir/util/gen_opt_test.vim
index c2c5191da..72ff49b62 100644
--- a/src/testdir/util/gen_opt_test.vim
+++ b/src/testdir/util/gen_opt_test.vim
@@ -362,7 +362,8 @@ let test_values = {
\ 'winaltkeys': [['no', 'yes', 'menu'], ['', 'xxx']],
\ 'winhighlight': [['Search:Errormsg,Comment:String', 'Search:Comment', ''],
\ ['xxx', ',', 'Search:Comment,', 'Search:Errormsg,Comment:String,',
- \ ':', 'Search:,', 'Search:']],
+ \ ':', 'Search:,', 'Search:', ',Search', ',Search:Test', 'S:,A:B',
+ \ ',', ',S:']],
\
"\ skipped options
\ 'luadll': [[], []],
diff --git a/src/version.c b/src/version.c
index d95613190..c92322949 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 211,
/**/
210,
/**/
Commit: https://github.com/vim/vim/commit/88cded7ac007981dcab8505d9271c8e9048ab411
Author: Foxe Chen <chen...@gmail.com>
Date: Fri Mar 20 21:45:13 2026 +0000
patch 9.2.0211: possible crash when setting 'winhighlight'
Problem: possible crash when setting 'winhighlight'
Solution: Validate the option value more carefully (Foxe Chen)
closes: #19774
Signed-off-by: Foxe Chen <chen...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/highlight.c b/src/highlight.c
index 9e9830bd7..0accfe9be 100644
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -5630,6 +5630,7 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
hl_override_T *arr;
int i = 0;
int num = 1;
+ int n_colons = 0;
if (*p == NUL)
return NULL;
@@ -5640,6 +5641,19 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
p++;
num++;
}
+ p = opt;
+ // Check if number of ':' matches number of ','
+ while ((p = vim_strchr(p, ':')) != NULL)
+ {
+ p++;
+ n_colons++;
+ }
+
+ if (num != n_colons)
+ {
+ *errmsg = e_invalid_argument;
+ return NULL;
+ }
arr = ALLOC_MULT(hl_override_T, num);
if (arr == NULL)
@@ -5667,6 +5681,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
goto fail;
fromlen = p - fromname; // Get hl for "from"
+ if (fromlen == 0)
+ goto fail;
p++; // Skip colon ':'
if (*p == NUL)
goto fail;
@@ -5683,6 +5699,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
tolen = tmp - toname;
p = ++tmp;
}
+ if (tolen == 0)
+ goto fail;
for (int k = 0; k < 2; k++)
{
diff --git a/src/testdir/util/gen_opt_test.vim b/src/testdir/util/gen_opt_test.vim
index c2c5191da..72ff49b62 100644
--- a/src/testdir/util/gen_opt_test.vim
+++ b/src/testdir/util/gen_opt_test.vim
@@ -362,7 +362,8 @@ let test_values = {
\ 'winaltkeys': [['no', 'yes', 'menu'], ['', 'xxx']],
\ 'winhighlight': [['Search:Errormsg,Comment:String', 'Search:Comment', ''],
\ ['xxx', ',', 'Search:Comment,', 'Search:Errormsg,Comment:String,',
- \ ':', 'Search:,', 'Search:']],
+ \ ':', 'Search:,', 'Search:', ',Search', ',Search:Test', 'S:,A:B',
+ \ ',', ',S:']],
\
"\ skipped options
\ 'luadll': [[], []],
diff --git a/src/version.c b/src/version.c
index d95613190..c92322949 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 211,
/**/
210,
/**/
Reply all
Reply to author
Forward
0 new messages