Commit: patch 9.2.0348: potential buffer underrun when setting statusline like option
5 views
Skip to first unread message
Christian Brabandt
Apr 14, 2026, 2:30:16 PMApr 14
to vim...@googlegroups.com
patch 9.2.0348: potential buffer underrun when setting statusline like option
Commit: https://github.com/vim/vim/commit/91b402f57575ed33649285043a3c631701165f4a
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Apr 14 18:18:36 2026 +0000
patch 9.2.0348: potential buffer underrun when setting statusline like option
Problem: potential buffer underrun when settings statusline like option
(q1uf3ng)
Solution: Validate that p > out before accessing p[-1]
closes: #19961
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
index cbee49e1a..20f8dcc45 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5028,7 +5028,7 @@ build_stl_str_hl_local(
if (*s != '}') // missing '}' or out of space
break;
s++;
- if (reevaluate)
+ if (reevaluate && p > out)
p[-1] = NUL; // remove the % at the end of %{% expr %}
else
*p = NUL;
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 7dbb1d208..270f1ddbc 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -5390,4 +5390,14 @@ func Test_breaklist_args_fails()
call assert_fails(':breaklist extra', 'E488:')
endfunc
+func Test_rulerformat_empty()
+ set ruler rulerformat=%!'%{}%'
+ try
+ redraw
+ catch
+ endtry
+ set ruler&
+ set rulerformat&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index d33c06252..7bd07ca0b 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -870,9 +870,6 @@ func Test_set_option_errors()
call assert_fails('set commentstring=x', 'E537:')
call assert_fails('let &commentstring = "x"', 'E537:')
call assert_fails('set complete=x', 'E539:')
- call assert_fails('set rulerformat=%-', 'E539:')
- call assert_fails('set rulerformat=%(', 'E542:')
- call assert_fails('set rulerformat=%15(%%', 'E542:')
" Test for 'statusline' errors
call assert_fails('set statusline=%$', 'E539:')
@@ -890,6 +887,11 @@ func Test_set_option_errors()
call assert_fails('set tabline=%(', 'E542:')
call assert_fails('set tabline=%)', 'E542:')
+ " Test for 'rulerformat' errors
+ call assert_fails('set rulerformat=%-', 'E539:')
+ call assert_fails('set rulerformat=%(', 'E542:')
+ call assert_fails('set rulerformat=%15(%%', 'E542:')
+
if has('cursorshape')
" This invalid value for 'guicursor' used to cause Vim to crash.
call assert_fails('set guicursor=i-ci,r-cr:h', 'E545:')
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
index 27fef946a..6936ca807 100644
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -930,4 +930,14 @@ func Test_tabline_click_handler()
endif
endfunc
+func Test_statusline_empty()
+ set laststatus=2 statusline=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set laststatus&
+ set statusline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index 21f66cfcd..7ae060248 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -250,4 +250,14 @@ func Test_tabline_mouse_enable()
endfor
endfunc
+func Test_tabline_empty()
+ set showtabline=2 tabline=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set showtabline&
+ set tabline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index f983e2b37..4bb7f39eb 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -923,4 +923,14 @@ func Test_tabpanel_variable_height()
%bwipeout!
endfunc
+func Test_tabpanel_empty()
+ set showtabpanel=2 tabpanel=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set showtabpanel&
+ set tabpanel&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 63d8715aa..dec32640e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 348,
/**/
347,
/**/
Commit: https://github.com/vim/vim/commit/91b402f57575ed33649285043a3c631701165f4a
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Apr 14 18:18:36 2026 +0000
patch 9.2.0348: potential buffer underrun when setting statusline like option
Problem: potential buffer underrun when settings statusline like option
(q1uf3ng)
Solution: Validate that p > out before accessing p[-1]
closes: #19961
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
index cbee49e1a..20f8dcc45 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5028,7 +5028,7 @@ build_stl_str_hl_local(
if (*s != '}') // missing '}' or out of space
break;
s++;
- if (reevaluate)
+ if (reevaluate && p > out)
p[-1] = NUL; // remove the % at the end of %{% expr %}
else
*p = NUL;
diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
index 7dbb1d208..270f1ddbc 100644
--- a/src/testdir/test_cmdline.vim
+++ b/src/testdir/test_cmdline.vim
@@ -5390,4 +5390,14 @@ func Test_breaklist_args_fails()
call assert_fails(':breaklist extra', 'E488:')
endfunc
+func Test_rulerformat_empty()
+ set ruler rulerformat=%!'%{}%'
+ try
+ redraw
+ catch
+ endtry
+ set ruler&
+ set rulerformat&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index d33c06252..7bd07ca0b 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -870,9 +870,6 @@ func Test_set_option_errors()
call assert_fails('set commentstring=x', 'E537:')
call assert_fails('let &commentstring = "x"', 'E537:')
call assert_fails('set complete=x', 'E539:')
- call assert_fails('set rulerformat=%-', 'E539:')
- call assert_fails('set rulerformat=%(', 'E542:')
- call assert_fails('set rulerformat=%15(%%', 'E542:')
" Test for 'statusline' errors
call assert_fails('set statusline=%$', 'E539:')
@@ -890,6 +887,11 @@ func Test_set_option_errors()
call assert_fails('set tabline=%(', 'E542:')
call assert_fails('set tabline=%)', 'E542:')
+ " Test for 'rulerformat' errors
+ call assert_fails('set rulerformat=%-', 'E539:')
+ call assert_fails('set rulerformat=%(', 'E542:')
+ call assert_fails('set rulerformat=%15(%%', 'E542:')
+
if has('cursorshape')
" This invalid value for 'guicursor' used to cause Vim to crash.
call assert_fails('set guicursor=i-ci,r-cr:h', 'E545:')
diff --git a/src/testdir/test_statusline.vim b/src/testdir/test_statusline.vim
index 27fef946a..6936ca807 100644
--- a/src/testdir/test_statusline.vim
+++ b/src/testdir/test_statusline.vim
@@ -930,4 +930,14 @@ func Test_tabline_click_handler()
endif
endfunc
+func Test_statusline_empty()
+ set laststatus=2 statusline=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set laststatus&
+ set statusline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index 21f66cfcd..7ae060248 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -250,4 +250,14 @@ func Test_tabline_mouse_enable()
endfor
endfunc
+func Test_tabline_empty()
+ set showtabline=2 tabline=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set showtabline&
+ set tabline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index f983e2b37..4bb7f39eb 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -923,4 +923,14 @@ func Test_tabpanel_variable_height()
%bwipeout!
endfunc
+func Test_tabpanel_empty()
+ set showtabpanel=2 tabpanel=%!'%{}%'
+ try
+ redraw!
+ catch
+ endtry
+ set showtabpanel&
+ set tabpanel&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 63d8715aa..dec32640e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 348,
/**/
347,
/**/
Reply all
Reply to author
Forward
0 new messages