[vim/vim] fix(win32): prevent typeahead buffer overflow during mouse drag (PR #19851)
mattn
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
loop iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes.
When dragging the status line quickly on Windows console, 3+ mouse
events could queue up in a single loop pass and overflow the 20-byte
static buffer, corrupting adjacent memory. This caused garbage bytes
to be fed into the input stream, triggering unintended commands such
as Ctrl-Z (suspend).
The bug has existed since Vim 7.0001 but was not visible on the legacy
console where ReadConsole properly skipped MOUSE_EVENT records. With
ConPTY (Windows Terminal), the corruption becomes visible.
Change the guard from 5 to 10 to match the actual worst-case write size.
You can view, comment on, or merge this pull request online at:
https://github.com/vim/vim/pull/19851
Commit Summary
- 7e71c3b fix(win32): prevent typeahead buffer overflow during mouse drag
File Changes
(1 file)
- M src/os_win32.c (7)
Patch Links:
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.