Commit: patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

Fri, 27 Feb 2026 13:16:57 -0800 

patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

Commit: 
https://github.com/vim/vim/commit/4e5b9e31cb7484ad156fba995fdce3c9b075b5fd
Author: Christian Brabandt <[email protected]>
Date:   Tue Feb 24 20:29:20 2026 +0000

    patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
    
    Problem:  A stack-buffer-overflow occurs when rendering a statusline
              with a multi-byte fill character on a very wide terminal.
              The size check in build_stl_str_hl() uses the cell width
              rather than the byte length, allowing the subsequent fill
              loop to write beyond the 4096-byte MAXPATHL buffer
              (ehdgks0627, un3xploitable).
    Solution: Update the size check to account for the byte length of
              the fill character (using MB_CHAR2LEN).
    
    Github Advisory:
    https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf
    
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/src/buffer.c b/src/buffer.c
index 5a639fcf5..d96f2fdc1 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
        }
        width = maxwidth;
     }
-    else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+    else if (width < maxwidth &&
+           outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
     {
        // Find how many separators there are, which we will use when
        // figuring out how many groups there are.
diff --git a/src/version.c b/src/version.c
index 360e31edf..7abc134fc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    78,
 /**/
     77,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1vw5B1-00GEtu-I1%40256bit.org.

Raspunde prin e-mail lui