git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Sun, 31 May 2026 14:27:16 +0000 (14:27 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Sun, 31 May 2026 14:27:16 +0000 (14:27 +0000)
commit	54ffef7eb83f2592833f422b89bf5f30de6b4bb0
tree	4bfa7875317eeec8510271b4ff2df2ca03dfb6f9	tree \| snapshot
parent	868ad62cb8bf8038322eab2badd31bd98b02b9df	commit \| diff

patch 9.2.0569: out-of-bounds access in libvterm CSI 8 t resize

Problem:  In the bundled libvterm the CSI 8 ; rows ; cols t sequence reaches
          on_resize() without validating its arguments.  Missing, zero or
          negative dimensions cause a negative-size memmove() in
          resize_buffer() and out-of-bounds accesses in set_lineinfo() and
          DECALN, all reachable from output rendered in a terminal window
          (Yukihiro Nakamura).
Solution: Reject missing, zero or negative dimensions before calling
          on_resize().  Also clamp a negative cell width in on_text() as
          hardening for the bundled libvterm.

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/libvterm/src/state.c		diff \| blob \| blame \| history
src/testdir/test_terminal3.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history