Commit: patch 9.2.0490: matchfuzzy() can crash on long multi-word patterns
4 views
Skip to first unread message
Christian Brabandt
May 16, 2026, 4:45:15 AM (4 days ago) May 16
to vim...@googlegroups.com
patch 9.2.0490: matchfuzzy() can crash on long multi-word patterns
Commit: https://github.com/vim/vim/commit/88b00d1c57c8713ac5e7f2828c07e3c7da94ac79
Author: glepnir <gleph...@gmail.com>
Date: Sat May 16 08:36:39 2026 +0000
patch 9.2.0490: matchfuzzy() can crash on long multi-word patterns
Problem: matchfuzzy() can crash on long multi-word patterns.
Solution: Clamp pat_chars to maxMatches and stop before calling
match_positions() when the buffer is full (glepnir).
closes: #20209
Signed-off-by: glepnir <gleph...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fuzzy.c b/src/fuzzy.c
index bb140fcac..2847a2071 100644
--- a/src/fuzzy.c
+++ b/src/fuzzy.c
@@ -85,6 +85,7 @@ fuzzy_match(
int complete = FALSE;
int score = 0;
int numMatches = 0;
+ int pat_chars = 0;
score_t fzy_score;
*outScore = 0;
@@ -118,6 +119,17 @@ fuzzy_match(
complete = TRUE;
*p = NUL;
}
+ // match_positions() always writes pat_chars entries,
+ // so bail if they won't fit.
+ pat_chars = MB_CHARLEN(pat);
+ if (pat_chars > maxMatches)
+ pat_chars = maxMatches;
+ if (numMatches > maxMatches - pat_chars)
+ {
+ numMatches = 0;
+ *outScore = FUZZY_SCORE_NONE;
+ break;
+ }
score = FUZZY_SCORE_NONE;
if (has_match(pat, str))
@@ -143,7 +155,7 @@ fuzzy_match(
else
*outScore += score;
- numMatches += MB_CHARLEN(pat);
+ numMatches += pat_chars;
if (complete || numMatches >= maxMatches)
break;
diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
index eb4c8c656..dfeb074d7 100644
--- a/src/testdir/test_matchfuzzy.vim
+++ b/src/testdir/test_matchfuzzy.vim
@@ -322,4 +322,13 @@ func Test_matchfuzzy_initialized()
call StopVimInTerminal(buf)
endfunc
+func Test_matchfuzzy_long_multiword_no_overflow()
+ let word = repeat('a', 100)
+ let pat_ok = repeat(word . ' ', 9) . word
+ call assert_equal([word], matchfuzzy([word], pat_ok))
+
+ let pat_overflow = repeat(word . ' ', 14) . word
+ call assert_equal([[], [], []], matchfuzzypos([word], pat_overflow))
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index fb89edd04..0a4a84e29 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 490,
/**/
489,
/**/
Commit: https://github.com/vim/vim/commit/88b00d1c57c8713ac5e7f2828c07e3c7da94ac79
Author: glepnir <gleph...@gmail.com>
Date: Sat May 16 08:36:39 2026 +0000
patch 9.2.0490: matchfuzzy() can crash on long multi-word patterns
Problem: matchfuzzy() can crash on long multi-word patterns.
Solution: Clamp pat_chars to maxMatches and stop before calling
match_positions() when the buffer is full (glepnir).
closes: #20209
Signed-off-by: glepnir <gleph...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fuzzy.c b/src/fuzzy.c
index bb140fcac..2847a2071 100644
--- a/src/fuzzy.c
+++ b/src/fuzzy.c
@@ -85,6 +85,7 @@ fuzzy_match(
int complete = FALSE;
int score = 0;
int numMatches = 0;
+ int pat_chars = 0;
score_t fzy_score;
*outScore = 0;
@@ -118,6 +119,17 @@ fuzzy_match(
complete = TRUE;
*p = NUL;
}
+ // match_positions() always writes pat_chars entries,
+ // so bail if they won't fit.
+ pat_chars = MB_CHARLEN(pat);
+ if (pat_chars > maxMatches)
+ pat_chars = maxMatches;
+ if (numMatches > maxMatches - pat_chars)
+ {
+ numMatches = 0;
+ *outScore = FUZZY_SCORE_NONE;
+ break;
+ }
score = FUZZY_SCORE_NONE;
if (has_match(pat, str))
@@ -143,7 +155,7 @@ fuzzy_match(
else
*outScore += score;
- numMatches += MB_CHARLEN(pat);
+ numMatches += pat_chars;
if (complete || numMatches >= maxMatches)
break;
diff --git a/src/testdir/test_matchfuzzy.vim b/src/testdir/test_matchfuzzy.vim
index eb4c8c656..dfeb074d7 100644
--- a/src/testdir/test_matchfuzzy.vim
+++ b/src/testdir/test_matchfuzzy.vim
@@ -322,4 +322,13 @@ func Test_matchfuzzy_initialized()
call StopVimInTerminal(buf)
endfunc
+func Test_matchfuzzy_long_multiword_no_overflow()
+ let word = repeat('a', 100)
+ let pat_ok = repeat(word . ' ', 9) . word
+ call assert_equal([word], matchfuzzy([word], pat_ok))
+
+ let pat_overflow = repeat(word . ' ', 14) . word
+ call assert_equal([[], [], []], matchfuzzypos([word], pat_overflow))
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index fb89edd04..0a4a84e29 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 490,
/**/
489,
/**/
Reply all
Reply to author
Forward
0 new messages