[vim/vim] Fix TabPageIdxs buffer overflow when drawing custom tabline (PR #19730)
thinca
Reproduction
Use an ASan build to reliably observe the crash (a normal build may not crash even though the out-of-bounds write occurs).
# Build with FEAT_TABPANEL and ASan.
CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --with-features=huge && make
# With showtabpanel=1 and a custom tabline, opening 2 tabs.
# (The `-n` option is not necessary, but without it, swap files will remain.)
vim -u NONE -n --cmd 'set tabline=xxx showtabpanel=1' -p a.txt b.txt
An ASan build reports a heap-buffer-overflow immediately. A normal build may not crash, but the out-of-bounds write (UB) still occurs.
Cause
In win_redr_custom(NULL) (custom 'tabline' drawing), TabPageIdxs[] is filled from firstwin->w_wincol through firstwin->w_wincol + topframe->fr_width - 1.
TabPageIdxs is allocated with only Columns elements in screenalloc(), so a buffer overflow happens when firstwin->w_wincol + topframe->fr_width > Columns.
Example: with showtabpanel=1, tab panel width 20, fr_width=80, Columns=80 → col runs 20..99, so indices 80..99 are out of bounds.
Fix
Cap the write range with end_col = min(firstwin->w_wincol + topframe->fr_width, Columns) so that all writes to TabPageIdxs stay within col < end_col (screen.c).
Finally: I used AI to work on this PR.
You can view, comment on, or merge this pull request online at:
https://github.com/vim/vim/pull/19730
Commit Summary
- e81a81e Fix TabPageIdxs buffer overflow in custom tabline
File Changes
(2 files)
- M src/screen.c (9)
- M src/testdir/test_tabline.vim (14)
Patch Links:
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
thinca
thinca left a comment (vim/vim#19730)ASAN test failed after a 30-minute timeout, but the CI in my repository for the same commit passed within 25 minutes.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
chrisbra left a comment (vim/vim#19730)thanks. I also noticed the recent timeouts, I am wondering if the tests sometimes take too long, e.g. I can see this in the raw log:
2026-03-17T18:11:53.1681845Z Test vim_ex_function_def_tail_comments OK
2026-03-17T18:11:54.6838252Z
2026-03-17T18:11:55.3923160Z Test vim_ex_function_fold OK
2026-03-17T18:11:56.0386293Z Test vim_ex_function_nested OK
2026-03-17T18:11:56.7315733Z Test vim_ex_function_nested_fold OK
2026-03-17T18:11:57.4858309Z Test vim_ex_grep OK
2026-03-17T18:11:58.0591843Z Test vim_ex_help OK
2026-03-17T18:11:58.8830552Z Test vim_ex_helpgrep OK
2026-03-17T18:11:59.6805853Z Test vim_ex_highlight OK
2026-03-17T18:12:00.5755777Z Test vim_ex_history OK
2026-03-17T18:12:01.7118545Z Test vim_ex_import OK
2026-03-17T18:12:02.7549407Z Test vim_ex_language OK
2026-03-17T18:12:03.3222514Z Test vim_ex_let_heredoc OK
2026-03-17T18:12:03.8367305Z Test vim_ex_loadkeymap OK
2026-03-17T18:12:04.3404628Z Test vim_ex_loadkeymap_after_bar OK
2026-03-17T18:12:05.1937645Z Test vim_ex_loadkeymap_after_colon OK
2026-03-17T18:12:05.8460152Z Test vim_ex_lua OK
2026-03-17T18:12:06.7075844Z Test vim_ex_make OK
2026-03-17T18:12:07.7782541Z Test vim_ex_map OK
2026-03-17T18:12:08.5518858Z Test vim_ex_mark OK
2026-03-17T18:12:09.3855912Z Test vim_ex_match OK
2026-03-17T18:12:10.0977262Z Test vim_ex_menu OK
2026-03-17T18:12:10.9123178Z Test vim_ex_menutranslate OK
2026-03-17T18:12:11.5025049Z Test vim_ex_mzscheme OK
2026-03-17T18:12:12.4010657Z Test vim_ex_normal OK
2026-03-17T18:12:13.0981936Z Test vim_ex_perl OK
2026-03-17T18:12:13.7113675Z Test vim_ex_profile OK
2026-03-17T18:12:14.6118499Z Test vim_ex_prompt_commands OK
2026-03-17T18:12:15.4328328Z Test vim_ex_python OK
2026-03-17T18:12:16.2110028Z Test vim_ex_range OK
2026-03-17T18:12:17.2181647Z Test vim_ex_redir OK
2026-03-17T18:12:18.1272803Z Test vim_ex_ruby OK
2026-03-17T18:12:19.0261815Z Test vim_ex_set OK
2026-03-17T18:12:19.5938960Z Test vim_ex_set_backslash OK
2026-03-17T18:12:20.3545100Z Test vim_ex_sleep OK
2026-03-17T18:12:21.5287360Z Test vim_ex_sort OK
2026-03-17T18:12:22.8245034Z Test vim_ex_substitute OK
2026-03-17T18:12:23.5077214Z Test vim_ex_syntax OK
2026-03-17T18:12:24.3133727Z Test vim_ex_syntime OK
2026-03-17T18:12:25.0413902Z Test vim_ex_tcl OK
2026-03-17T18:12:25.5387501Z Test vim_ex_terminal OK
2026-03-17T18:12:26.1252751Z ##[error]The action 'Test' has timed out after 30 minutes.
2026-03-17T18:12:26.1337814Z Prepare all required actions
As you can there, there is no real timeout. Not sure what is going on there
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
chrisbra left a comment (vim/vim#19730)included as of ed7c7fb. Thanks!
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
h_east
h-east left a comment (vim/vim#19730)Hmm, The relationship between firstwin->w_wincol, topframe->fr_width, and Columns in the description is inconsistent. Columns also includes the width of the tabpanel. For example, when starting with the following command:
$ vim --clean +"set columns=100 stpl=2 stal=2"The values will be as follows:
(gdb) p firstwin->w_wincol
$1 = 20
(gdb) p topframe->fr_width
$2 = 80
(gdb) p Columns
$3 = 100
Therefore, if the relationship is broken in this process, we should fix the root cause.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
h_east
h-east left a comment (vim/vim#19730)Ah, I see, so --cmd keeps the relationship broken.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.