Commit: patch 9.2.0024: Reading files with very long lines crashes with a segfault
1 view
Skip to first unread message
Christian Brabandt
Feb 18, 2026, 5:01:45 PM (2 days ago) Feb 18
to vim...@googlegroups.com
patch 9.2.0024: Reading files with very long lines crashes with a segfault
Commit: https://github.com/vim/vim/commit/6cc291da063e7d9a74a6337d6a80af2b3bcbb5a9
Author: Christian Brabandt <c...@256bit.org>
Date: Wed Feb 18 21:52:40 2026 +0000
patch 9.2.0024: Reading files with very long lines crashes with a segfault
Problem: Reading files with lines approaching MAXCOL length crashes
with segfault due to colnr_T overflow.
Solution: The split check 'linerest >= MAXCOL' fired too late because
linerest could grow by up to 'size' bytes before the next
check. Change threshold to 'linerest >= MAXCOL - size' to
ensure the line passed to ml_append() stays within colnr_T
range.
Note: supported by AI claude
fixes: #17935
closes: #18953
closes: #19332
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index 9aceaf887..1f372c39e 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -1170,7 +1170,12 @@ retry:
}
// Protect against the argument of lalloc() going negative.
- if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL)
+ // Also split lines that are too long for colnr_T. After this check
+ // passes, we read up to 'size' more bytes. We must ensure that even
+ // after that read, the line length won't exceed MAXCOL - 1 (because
+ // we add 1 for the NUL when casting to colnr_T). If this check fires,
+ // we insert a synthetic newline immediately, so linerest doesn't grow.
+ if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size)
{
++split;
*ptr = NL; // split line by inserting a NL
diff --git a/src/version.c b/src/version.c
index 965ce4b9e..6618340d7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 24,
/**/
23,
/**/
Commit: https://github.com/vim/vim/commit/6cc291da063e7d9a74a6337d6a80af2b3bcbb5a9
Author: Christian Brabandt <c...@256bit.org>
Date: Wed Feb 18 21:52:40 2026 +0000
patch 9.2.0024: Reading files with very long lines crashes with a segfault
Problem: Reading files with lines approaching MAXCOL length crashes
with segfault due to colnr_T overflow.
Solution: The split check 'linerest >= MAXCOL' fired too late because
linerest could grow by up to 'size' bytes before the next
check. Change threshold to 'linerest >= MAXCOL - size' to
ensure the line passed to ml_append() stays within colnr_T
range.
Note: supported by AI claude
fixes: #17935
closes: #18953
closes: #19332
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/fileio.c b/src/fileio.c
index 9aceaf887..1f372c39e 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -1170,7 +1170,12 @@ retry:
}
// Protect against the argument of lalloc() going negative.
- if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL)
+ // Also split lines that are too long for colnr_T. After this check
+ // passes, we read up to 'size' more bytes. We must ensure that even
+ // after that read, the line length won't exceed MAXCOL - 1 (because
+ // we add 1 for the NUL when casting to colnr_T). If this check fires,
+ // we insert a synthetic newline immediately, so linerest doesn't grow.
+ if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size)
{
++split;
*ptr = NL; // split line by inserting a NL
diff --git a/src/version.c b/src/version.c
index 965ce4b9e..6618340d7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 24,
/**/
23,
/**/
Reply all
Reply to author
Forward
0 new messages