Commit: patch 9.2.0185: buffer overflow when redrawing custom tabline
1 view
Skip to first unread message
Christian Brabandt
Mar 17, 2026, 3:02:06 PM (9 hours ago) Mar 17
to vim...@googlegroups.com
patch 9.2.0185: buffer overflow when redrawing custom tabline
Commit: https://github.com/vim/vim/commit/ed7c7fb2257076181afefe13b8967c9afec9b0d6
Author: thinca <thi...@gmail.com>
Date: Tue Mar 17 18:52:58 2026 +0000
patch 9.2.0185: buffer overflow when redrawing custom tabline
Problem: When drawing a custom tabline, if topframe->fr_width is
larger than Columns (possible during tab closure with
showtabpanel=1), Vim writes past the end of the
TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
never accessed out-of-bounds (thinca).
closes: #19725
Supported by AI
Signed-off-by: thinca <thi...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/screen.c b/src/screen.c
index fc99ac372..acef4d38b 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -1439,6 +1439,9 @@ win_redr_custom(
if (wp == NULL)
{
// Fill the TabPageIdxs[] array for clicking in the tab pagesline.
+ int end_col = firstwin->w_wincol + topframe->fr_width;
+ if (end_col > Columns)
+ end_col = Columns;
col = firstwin->w_wincol;
len = 0;
p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
for (n = 0; tabtab[n].start != NULL; n++)
{
len += vim_strnsize(p, (int)(tabtab[n].start - p));
- while (col < len)
+ while (col < len && col < end_col)
TabPageIdxs[col++] = fillchar;
+ if (col >= end_col)
+ break;
p = tabtab[n].start;
fillchar = tabtab[n].userhl;
}
- while (col < firstwin->w_wincol + topframe->fr_width)
+ while (col < end_col)
TabPageIdxs[col++] = fillchar;
}
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index e02e4f303..21f66cfcd 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
call RunVim([], [], "-e -s -S Xclickscript -c qa")
endfunc
+func Test_tabline_TabPageIdxs_overflow()
+ " Regression: TabPageIdxs[] overflow when closing a tab with custom
+ " 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
+ " could exceed Columns).
+ CheckFeature tabpanel
+ let before = [
+ \ 'set showtabpanel=1',
+ \ 'set tabline=foo',
+ \ 'call feedkeys(":qa!\<CR>")',
+ \ ]
+ call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
+ call assert_equal(0, v:shell_error, 'Vim subprocess must not crash (TabPageIdxs overflow)')
+endfunc
+
func Test_tabline_showcmd()
CheckScreendump
diff --git a/src/version.c b/src/version.c
index 0bfaa8e7a..1f2cf0ec2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 185,
/**/
184,
/**/
Commit: https://github.com/vim/vim/commit/ed7c7fb2257076181afefe13b8967c9afec9b0d6
Author: thinca <thi...@gmail.com>
Date: Tue Mar 17 18:52:58 2026 +0000
patch 9.2.0185: buffer overflow when redrawing custom tabline
Problem: When drawing a custom tabline, if topframe->fr_width is
larger than Columns (possible during tab closure with
showtabpanel=1), Vim writes past the end of the
TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
never accessed out-of-bounds (thinca).
closes: #19725
Supported by AI
Signed-off-by: thinca <thi...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/screen.c b/src/screen.c
index fc99ac372..acef4d38b 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -1439,6 +1439,9 @@ win_redr_custom(
if (wp == NULL)
{
// Fill the TabPageIdxs[] array for clicking in the tab pagesline.
+ int end_col = firstwin->w_wincol + topframe->fr_width;
+ if (end_col > Columns)
+ end_col = Columns;
col = firstwin->w_wincol;
len = 0;
p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
for (n = 0; tabtab[n].start != NULL; n++)
{
len += vim_strnsize(p, (int)(tabtab[n].start - p));
- while (col < len)
+ while (col < len && col < end_col)
TabPageIdxs[col++] = fillchar;
+ if (col >= end_col)
+ break;
p = tabtab[n].start;
fillchar = tabtab[n].userhl;
}
- while (col < firstwin->w_wincol + topframe->fr_width)
+ while (col < end_col)
TabPageIdxs[col++] = fillchar;
}
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index e02e4f303..21f66cfcd 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
call RunVim([], [], "-e -s -S Xclickscript -c qa")
endfunc
+func Test_tabline_TabPageIdxs_overflow()
+ " Regression: TabPageIdxs[] overflow when closing a tab with custom
+ " 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
+ " could exceed Columns).
+ CheckFeature tabpanel
+ let before = [
+ \ 'set showtabpanel=1',
+ \ 'set tabline=foo',
+ \ 'call feedkeys(":qa!\<CR>")',
+ \ ]
+ call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
+ call assert_equal(0, v:shell_error, 'Vim subprocess must not crash (TabPageIdxs overflow)')
+endfunc
+
func Test_tabline_showcmd()
CheckScreendump
diff --git a/src/version.c b/src/version.c
index 0bfaa8e7a..1f2cf0ec2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 185,
/**/
184,
/**/
Reply all
Reply to author
Forward
0 new messages