Commit: patch 9.2.0271: buffer underflow in vim_fgets()
4 views
Skip to first unread message
Christian Brabandt
Mar 29, 2026, 11:47:13 AM (2 days ago) Mar 29
to vim...@googlegroups.com
patch 9.2.0271: buffer underflow in vim_fgets()
Commit: https://github.com/vim/vim/commit/3c0f8000e152ceb02619249f5ebf06d6ffe9c8d8
Author: Koda Reef <koda...@gmail.com>
Date: Sun Mar 29 15:19:49 2026 +0000
patch 9.2.0271: buffer underflow in vim_fgets()
Problem: buffer underflow in vim_fgets()
Solution: Ensure size is always greater than 1
(Koda Reef)
Signed-off-by: Koda Reef <koda...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index e057b78ad..975dc310e 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -3833,6 +3833,14 @@ vim_fgets(char_u *buf, int size, FILE *fp)
#define FGETS_SIZE 200
char tbuf[FGETS_SIZE];
+ // safety check
+ if (size < 2)
+ {
+ if (size == 1)
+ buf[0] = NUL;
+ return TRUE;
+ }
+
buf[size - 2] = NUL;
eof = fgets((char *)buf, size, fp);
if (buf[size - 2] != NUL && buf[size - 2] != '
')
diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim
index e3767e9a2..ff79265f8 100644
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -1351,4 +1351,24 @@ func Test_viminfo_global_var()
let &viminfo = _viminfo
endfunc
+func Test_viminfo_len_one()
+ let _viminfofile = &viminfofile
+ let &viminfofile=''
+ let viminfo_file = tempname()
+ call histadd('cmd', '" TEST')
+ defer delete(viminfo_file)
+
+ " Craft a viminfo entry with ^V1 length prefix (len == 1)
+ call writefile([
+ \ '*encoding=utf-8',
+ \ ':' .. "\x161" .. 'X',
+ \ ], viminfo_file, 'b')
+
+ " Should not crash or cause memory errors
+ exe 'rviminfo! ' .. viminfo_file
+ call assert_equal('" TEST', histget(':', -1))
+
+ let &viminfofile = _viminfofile
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 24341528f..6c60c9dc2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 271,
/**/
270,
/**/
diff --git a/src/viminfo.c b/src/viminfo.c
index 7de591f1b..9b60ec594 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -265,7 +265,7 @@ viminfo_readstring(
if (virp->vir_line[off] == Ctrl_V && vim_isdigit(virp->vir_line[off + 1]))
{
len = atol((char *)virp->vir_line + off + 1);
- if (len > 0 && len < 1000000)
+ if (len > 1 && len < 1000000)
retval = lalloc(len, TRUE);
if (retval == NULL)
{
Commit: https://github.com/vim/vim/commit/3c0f8000e152ceb02619249f5ebf06d6ffe9c8d8
Author: Koda Reef <koda...@gmail.com>
Date: Sun Mar 29 15:19:49 2026 +0000
patch 9.2.0271: buffer underflow in vim_fgets()
Problem: buffer underflow in vim_fgets()
Solution: Ensure size is always greater than 1
(Koda Reef)
Signed-off-by: Koda Reef <koda...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index e057b78ad..975dc310e 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -3833,6 +3833,14 @@ vim_fgets(char_u *buf, int size, FILE *fp)
#define FGETS_SIZE 200
char tbuf[FGETS_SIZE];
+ // safety check
+ if (size < 2)
+ {
+ if (size == 1)
+ buf[0] = NUL;
+ return TRUE;
+ }
+
buf[size - 2] = NUL;
eof = fgets((char *)buf, size, fp);
if (buf[size - 2] != NUL && buf[size - 2] != '
')
diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim
index e3767e9a2..ff79265f8 100644
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -1351,4 +1351,24 @@ func Test_viminfo_global_var()
let &viminfo = _viminfo
endfunc
+func Test_viminfo_len_one()
+ let _viminfofile = &viminfofile
+ let &viminfofile=''
+ let viminfo_file = tempname()
+ call histadd('cmd', '" TEST')
+ defer delete(viminfo_file)
+
+ " Craft a viminfo entry with ^V1 length prefix (len == 1)
+ call writefile([
+ \ '*encoding=utf-8',
+ \ ':' .. "\x161" .. 'X',
+ \ ], viminfo_file, 'b')
+
+ " Should not crash or cause memory errors
+ exe 'rviminfo! ' .. viminfo_file
+ call assert_equal('" TEST', histget(':', -1))
+
+ let &viminfofile = _viminfofile
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 24341528f..6c60c9dc2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 271,
/**/
270,
/**/
diff --git a/src/viminfo.c b/src/viminfo.c
index 7de591f1b..9b60ec594 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -265,7 +265,7 @@ viminfo_readstring(
if (virp->vir_line[off] == Ctrl_V && vim_isdigit(virp->vir_line[off + 1]))
{
len = atol((char *)virp->vir_line + off + 1);
- if (len > 0 && len < 1000000)
+ if (len > 1 && len < 1000000)
retval = lalloc(len, TRUE);
if (retval == NULL)
{
Reply all
Reply to author
Forward
0 new messages