[vim/vim] Fix heap buffer overflow when in COMPAREANY instruction (PR #18945)

6 views
Skip to first unread message

Foxe Chen

unread,
Dec 16, 2025, 3:30:43 PM (9 hours ago) Dec 16
to vim/vim, Subscribed

Reproduce:

  1. Compile with ASAN
  2. Run this script:
vim9script

enum DirectiveType
    Unknown,
    Set
endenum

type PatternSteps = list<any>
type Directive = tuple<DirectiveType, PatternSteps>

def g:Test(): void
    var directives: list<list<Directive>>

    directives[0] = [(DirectiveType.Unknown, ["eq", 1, "hello"])]

    for directive: Directive in directives[0]
        if directive[0] == 'set!'
        endif
    endfor
enddef

A heap buffer overflow will occur because object_equal() attempts to compare a VAR_OBJECT typval_T with a non VAR_OBJECT typval_T, as there is no check in typval_compare_object().

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/18945

Commit Summary

  • 7af9c56 fix heap buffer overflow when in COMPAREANY instruction

File Changes

(2 files)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945@github.com>

zeertzjq

unread,
Dec 16, 2025, 5:46:40 PM (7 hours ago) Dec 16
to vim/vim, Subscribed
zeertzjq left a comment (vim/vim#18945)

You need to add a *E1572* tag somewhere in the docs.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/c3662752144@github.com>

Foxe Chen

unread,
Dec 16, 2025, 6:26:59 PM (6 hours ago) Dec 16
to vim/vim, Push

@64-bitman pushed 1 commit.

  • 7767aab fix heap buffer overflow when in COMPAREANY instruction


View it on GitHub or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/before/7af9c56284d852833d577883a53b45dbdb0b5518/after/7767aab5d46241a9df8703ad59dc320b5caf41fe@github.com>

Foxe Chen

unread,
Dec 16, 2025, 6:27:24 PM (6 hours ago) Dec 16
to vim/vim, Push

@64-bitman pushed 1 commit.

  • 4abe609 fix heap buffer overflow when in COMPAREANY instruction


View it on GitHub or unsubscribe.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/before/7767aab5d46241a9df8703ad59dc320b5caf41fe/after/4abe60905fa868bbb56f89e308fb0427c03fb914@github.com>

Yegappan Lakshmanan

unread,
12:27 AM (26 minutes ago) 12:27 AM
to vim/vim, Subscribed

@yegappan commented on this pull request.

In src/errors.h:

> @@ -3802,4 +3802,6 @@ EXTERN char e_cannot_add_redraw_listener_in_listener_callback[]
 	INIT(= N_("E1570: Cannot use redraw_listener_add in a redraw listener callback"));
 EXTERN char e_no_redraw_listener_callbacks_defined[]
 	INIT(= N_("E1571: Must specify at least one callback for redraw_listener_add"));
+EXTERN char e_can_only_compare_object_with_object[]

The error numbers E1437 - E1499 are unused and are reserved for the Vim9 class support. Can you use E1437 instead of E1572?


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/review/3586068786@github.com>

Foxe Chen

unread,
12:48 AM (5 minutes ago) 12:48 AM
to vim/vim, Subscribed

@64-bitman commented on this pull request.

In src/errors.h:

> @@ -3802,4 +3802,6 @@ EXTERN char e_cannot_add_redraw_listener_in_listener_callback[]
 	INIT(= N_("E1570: Cannot use redraw_listener_add in a redraw listener callback"));
 EXTERN char e_no_redraw_listener_callbacks_defined[]
 	INIT(= N_("E1571: Must specify at least one callback for redraw_listener_add"));
+EXTERN char e_can_only_compare_object_with_object[]

Of course


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/review/3586110409@github.com>

Foxe Chen

unread,
12:50 AM (3 minutes ago) 12:50 AM
to vim/vim, Push

@64-bitman pushed 1 commit.

  • c21c25c fix heap buffer overflow when in COMPAREANY instruction


View it on GitHub or unsubscribe.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/before/4abe60905fa868bbb56f89e308fb0427c03fb914/after/c21c25ce6824b392d32f9eb87ee76d1ffb623940@github.com>

Yegappan Lakshmanan

unread,
12:52 AM (1 minute ago) 12:52 AM
to vim/vim, Subscribed

@yegappan commented on this pull request.

In src/errors.h:

> @@ -3631,6 +3631,8 @@ EXTERN char e_enum_can_only_be_used_in_script[]
 	INIT(= N_("E1435: Enum can only be used in a script"));
 EXTERN char e_interface_can_only_be_used_in_script[]
 	INIT(= N_("E1436: Interface can only be used in a script"));
+EXTERN char e_can_only_compare_object_with_object[]
+	INIT(= N_("E1437: Can only compare Object with Object"));
 #endif
 // E1437 - E1499 unused (reserved for Vim9 class support)

Can you change this comment to "// E1438 - E1499 unused (reserved for Vim9 class support)"?


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/review/3586117835@github.com>

Yegappan Lakshmanan

unread,
12:53 AM (now) 12:53 AM
to vim/vim, Subscribed

@yegappan commented on this pull request.

In src/testdir/test_vim9_class.vim:

> +        Set
+    endenum
+
+    type PatternSteps = list<any>
+    type Directive = tuple<DirectiveType, PatternSteps>
+
+    def Test(): void
+        var directive: Directive = (DirectiveType.Unknown, ["eq", 1, "hello"])
+
+        if directive[0] == "test"
+        endif
+    enddef
+
+    Test()
+  END
+  v9.CheckSourceFailure(lines, 'E1572: Can only compare Object with Object', 3)

The error number in this message should be changed to E1437.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/18945/review/3586119188@github.com>

Reply all
Reply to author
Forward
0 new messages