Commit: patch 9.2.0024: Reading files with very long lines crashes with a segfault

[Christian Brabandt]

patch 9.2.0024: Reading files with very long lines crashes with a segfault

Commit: 
https://github.com/vim/vim/commit/6cc291da063e7d9a74a6337d6a80af2b3bcbb5a9
Author: Christian Brabandt <c...@256bit.org>
Date:   Wed Feb 18 21:52:40 2026 +0000

    patch 9.2.0024: Reading files with very long lines crashes with a segfault
    
    Problem:  Reading files with lines approaching MAXCOL length crashes
              with segfault due to colnr_T overflow.
    Solution: The split check 'linerest >= MAXCOL' fired too late because
              linerest could grow by up to 'size' bytes before the next
              check. Change threshold to 'linerest >= MAXCOL - size' to
              ensure the line passed to ml_append() stays within colnr_T
              range.
    
    Note: supported by AI claude
    
    fixes:   #17935
    closes:  #18953
    closes:  #19332
    
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/fileio.c b/src/fileio.c
index 9aceaf887..1f372c39e 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -1170,7 +1170,12 @@ retry:
        }
 
        // Protect against the argument of lalloc() going negative.
-       if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL)
+       // Also split lines that are too long for colnr_T.  After this check
+       // passes, we read up to 'size' more bytes.  We must ensure that even
+       // after that read, the line length won't exceed MAXCOL - 1 (because
+       // we add 1 for the NUL when casting to colnr_T).  If this check fires,
+       // we insert a synthetic newline immediately, so linerest doesn't grow.
+       if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size)
        {
            ++split;
            *ptr = NL;              // split line by inserting a NL
diff --git a/src/version.c b/src/version.c
index 965ce4b9e..6618340d7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    24,
 /**/
     23,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1vspaX-001X1m-8J%40256bit.org.