patch 9.2.0211: possible crash when setting 'winhighlight'
Commit:
https://github.com/vim/vim/commit/88cded7ac007981dcab8505d9271c8e9048ab411
Author: Foxe Chen <[email protected]>
Date: Fri Mar 20 21:45:13 2026 +0000
patch 9.2.0211: possible crash when setting 'winhighlight'
Problem: possible crash when setting 'winhighlight'
Solution: Validate the option value more carefully (Foxe Chen)
closes: #19774
Signed-off-by: Foxe Chen <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/highlight.c b/src/highlight.c
index 9e9830bd7..0accfe9be 100644
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -5630,6 +5630,7 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
hl_override_T *arr;
int i = 0;
int num = 1;
+ int n_colons = 0;
if (*p == NUL)
return NULL;
@@ -5640,6 +5641,19 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
p++;
num++;
}
+ p = opt;
+ // Check if number of ':' matches number of ','
+ while ((p = vim_strchr(p, ':')) != NULL)
+ {
+ p++;
+ n_colons++;
+ }
+
+ if (num != n_colons)
+ {
+ *errmsg = e_invalid_argument;
+ return NULL;
+ }
arr = ALLOC_MULT(hl_override_T, num);
if (arr == NULL)
@@ -5667,6 +5681,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
goto fail;
fromlen = p - fromname; // Get hl for "from"
+ if (fromlen == 0)
+ goto fail;
p++; // Skip colon ':'
if (*p == NUL)
goto fail;
@@ -5683,6 +5699,8 @@ parse_winhighlight(char_u *opt, int *len, char **errmsg)
tolen = tmp - toname;
p = ++tmp;
}
+ if (tolen == 0)
+ goto fail;
for (int k = 0; k < 2; k++)
{
diff --git a/src/testdir/util/gen_opt_test.vim
b/src/testdir/util/gen_opt_test.vim
index c2c5191da..72ff49b62 100644
--- a/src/testdir/util/gen_opt_test.vim
+++ b/src/testdir/util/gen_opt_test.vim
@@ -362,7 +362,8 @@ let test_values = {
\ 'winaltkeys': [['no', 'yes', 'menu'], ['', 'xxx']],
\ 'winhighlight': [['Search:Errormsg,Comment:String', 'Search:Comment',
''],
\ ['xxx', ',', 'Search:Comment,',
'Search:Errormsg,Comment:String,',
- \ ':', 'Search:,', 'Search:']],
+ \ ':', 'Search:,', 'Search:', ',Search', ',Search:Test',
'S:,A:B',
+ \ ',', ',S:']],
\
"\ skipped options
\ 'luadll': [[], []],
diff --git a/src/version.c b/src/version.c
index d95613190..c92322949 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 211,
/**/
210,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1w3hsy-00FLTg-3N%40256bit.org.
