Commit: patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file

Wed, 01 Apr 2026 08:37:13 -0700 

patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file

Commit: 
https://github.com/vim/vim/commit/b2e55ed1d6c9d9af0e1afa6deedf0fec7a49c8c8
Author: Christian Brabandt <[email protected]>
Date:   Wed Apr 1 15:03:58 2026 +0000

    patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
    
    Problem:  Reading a crafted viminfo file can cause a heap buffer
              overflow because the length value from getdigits() is cast to
              int, truncating large size_t values
    Solution: Remove the (int) cast when calling alloc() (sentinel404)
    
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim
index ff79265f8..b3a8b91cb 100644
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -1371,4 +1371,24 @@ func Test_viminfo_len_one()
   let &viminfofile = _viminfofile
 endfunc
 
+func Test_viminfo_len_overflow()
+  let _viminfofile = &viminfofile
+  let &viminfofile=''
+  let viminfo_file = tempname()
+  defer delete(viminfo_file)
+
+  " Craft a viminfo entry with size_t length overflow
+  call writefile(['# Viminfo',
+        \ '|1,4', '|2,>4294967311',
+        \ '|<"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
+        \ '|<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB',
+        \ '|<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC',
+        \ '|<DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD'], viminfo_file, 'b')
+
+  " Should not crash or cause memory errors
+  exe 'rviminfo! ' .. viminfo_file
+
+  let &viminfofile = _viminfofile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 075253bfd..009c33276 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    278,
 /**/
     277,
 /**/
diff --git a/src/viminfo.c b/src/viminfo.c
index 9b60ec594..8b6aa3e70 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1054,7 +1054,7 @@ barline_parse(vir_T *virp, char_u *text, garray_T *values)
                // Length includes the quotes.
                ++p;
                len = getdigits(&p);
-               buf = alloc((int)(len + 1));
+               buf = alloc(len + 1);
                if (buf == NULL)
                    return TRUE;
                p = buf;

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1w7xHb-00GgAV-R3%40256bit.org.

Raspunde prin e-mail lui