Commit: patch 9.2.0266: typeahead buffer overflow during mouse drag event
4 views
Skip to first unread message
Christian Brabandt
Mar 29, 2026, 10:02:17 AM (3 days ago) Mar 29
to vim...@googlegroups.com
patch 9.2.0266: typeahead buffer overflow during mouse drag event
Commit: https://github.com/vim/vim/commit/8ea5f2774538e8598681339e136223335a184912
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Sun Mar 29 09:15:14 2026 +0000
patch 9.2.0266: typeahead buffer overflow during mouse drag event
Problem: typeahead buffer overflow during mouse drag event
Solution: Change the guard from 5 to 10 to account for the worst case
(Yasuhiro Matsumoto).
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes
(3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging,
3+ events could queue up and overflow the 20-byte buffer, corrupting
adjacent static variables and causing garbage bytes (including Ctrl-Z)
to be fed into the input stream, which triggered nv_suspend/ex_stop.
closes: #19851
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/os_win32.c b/src/os_win32.c
index 431d3b548..edbe895ec 100644
--- a/src/os_win32.c
+++ b/src/os_win32.c
@@ -2424,10 +2424,11 @@ mch_inchar(
# endif
// Keep looping until there is something in the typeahead buffer and more
- // to get and still room in the buffer (up to two bytes for a char and
- // three bytes for a modifier).
+ // to get and still room in the buffer. A mouse event uses up to
+ // 10 bytes: 3 (modifier) + 3 (scroll event) + 4 (coordinates), and a
+ // keyboard input uses up to 7 bytes: 3 (modifier) + 4 (UTF-8 char).
while ((typeaheadlen == 0 || WaitForChar(0L, FALSE))
- && typeaheadlen + 5 + TYPEAHEADSPACE <= TYPEAHEADLEN)
+ && typeaheadlen + 10 + TYPEAHEADSPACE <= TYPEAHEADLEN)
{
if (typebuf_changed(tb_change_cnt))
{
diff --git a/src/version.c b/src/version.c
index 775a09daa..5a1fd0cd7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 266,
/**/
265,
/**/
Commit: https://github.com/vim/vim/commit/8ea5f2774538e8598681339e136223335a184912
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Sun Mar 29 09:15:14 2026 +0000
patch 9.2.0266: typeahead buffer overflow during mouse drag event
Problem: typeahead buffer overflow during mouse drag event
Solution: Change the guard from 5 to 10 to account for the worst case
(Yasuhiro Matsumoto).
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes
(3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging,
3+ events could queue up and overflow the 20-byte buffer, corrupting
adjacent static variables and causing garbage bytes (including Ctrl-Z)
to be fed into the input stream, which triggered nv_suspend/ex_stop.
closes: #19851
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/os_win32.c b/src/os_win32.c
index 431d3b548..edbe895ec 100644
--- a/src/os_win32.c
+++ b/src/os_win32.c
@@ -2424,10 +2424,11 @@ mch_inchar(
# endif
// Keep looping until there is something in the typeahead buffer and more
- // to get and still room in the buffer (up to two bytes for a char and
- // three bytes for a modifier).
+ // to get and still room in the buffer. A mouse event uses up to
+ // 10 bytes: 3 (modifier) + 3 (scroll event) + 4 (coordinates), and a
+ // keyboard input uses up to 7 bytes: 3 (modifier) + 4 (UTF-8 char).
while ((typeaheadlen == 0 || WaitForChar(0L, FALSE))
- && typeaheadlen + 5 + TYPEAHEADSPACE <= TYPEAHEADLEN)
+ && typeaheadlen + 10 + TYPEAHEADSPACE <= TYPEAHEADLEN)
{
if (typebuf_changed(tb_change_cnt))
{
diff --git a/src/version.c b/src/version.c
index 775a09daa..5a1fd0cd7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 266,
/**/
265,
/**/
Reply all
Reply to author
Forward
0 new messages