Commit: patch 9.1.2139: Buffer overflow in :wlrestore command
3 views
Skip to first unread message
Christian Brabandt
Feb 7, 2026, 10:16:35 AM (yesterday) Feb 7
to vim...@googlegroups.com
patch 9.1.2139: Buffer overflow in :wlrestore command
Commit: https://github.com/vim/vim/commit/2498a460e2ab4b0452acfa96a42260667c63b93b
Author: Christian Brabandt <c...@256bit.org>
Date: Sat Feb 7 15:07:32 2026 +0000
patch 9.1.2139: Buffer overflow in :wlrestore command
Problem: Buffer overflow in :wlrestore command, caused by assuming
wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
to properly truncate long messages.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 843868c20..989c7c07b 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52517,4 +52517,10 @@ Problem: With 'autochdir' win_execute() can corrupt the buffer name, causing
:write to use wrong path.
Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
+Patch 9.1.2139
+Problem: Buffer overflow in :wlrestore command, caused by assuming
+ wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+ to properly truncate long messages.
+
vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/testdir/test_wayland.vim b/src/testdir/test_wayland.vim
index 155172a0f..c18b6b5d0 100644
--- a/src/testdir/test_wayland.vim
+++ b/src/testdir/test_wayland.vim
@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
endfunc
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+ exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 0a395c50e..a892d87c7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2139,
/**/
2138,
/**/
diff --git a/src/wayland.c b/src/wayland.c
index 4db13c4c0..6461337aa 100644
--- a/src/wayland.c
+++ b/src/wayland.c
@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
return;
vim_strncpy((char_u*)buf, (char_u*)prefix, len);
- vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+ vim_vsnprintf(buf + len, 512 - len, fmt, args);
// Remove newline that libwayland puts
buf[STRLEN(buf) - 1] = NUL;
Commit: https://github.com/vim/vim/commit/2498a460e2ab4b0452acfa96a42260667c63b93b
Author: Christian Brabandt <c...@256bit.org>
Date: Sat Feb 7 15:07:32 2026 +0000
patch 9.1.2139: Buffer overflow in :wlrestore command
Problem: Buffer overflow in :wlrestore command, caused by assuming
wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
to properly truncate long messages.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 843868c20..989c7c07b 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52517,4 +52517,10 @@ Problem: With 'autochdir' win_execute() can corrupt the buffer name, causing
:write to use wrong path.
Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
+Patch 9.1.2139
+Problem: Buffer overflow in :wlrestore command, caused by assuming
+ wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+ to properly truncate long messages.
+
vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/testdir/test_wayland.vim b/src/testdir/test_wayland.vim
index 155172a0f..c18b6b5d0 100644
--- a/src/testdir/test_wayland.vim
+++ b/src/testdir/test_wayland.vim
@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
endfunc
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+ exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 0a395c50e..a892d87c7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2139,
/**/
2138,
/**/
diff --git a/src/wayland.c b/src/wayland.c
index 4db13c4c0..6461337aa 100644
--- a/src/wayland.c
+++ b/src/wayland.c
@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
return;
vim_strncpy((char_u*)buf, (char_u*)prefix, len);
- vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+ vim_vsnprintf(buf + len, 512 - len, fmt, args);
// Remove newline that libwayland puts
buf[STRLEN(buf) - 1] = NUL;
Reply all
Reply to author
Forward
0 new messages