git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Sat, 30 May 2026 16:34:40 +0000 (16:34 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Sat, 30 May 2026 16:34:40 +0000 (16:34 +0000)
commit	63680c6d3d52477817b49cd1a66e7aabe8a7aa19
tree	05ffed80fdeb89bc141f78de22fff41eaa53ab8e	tree \| snapshot
parent	2c5b3838075061dea427ef304dd89c136d198221	commit \| diff

patch 9.2.0565: [security]: out-of-bounds read in update_snapshot()

Problem:  Out-of-bounds read in update_snapshot() when a terminal cell
          fills all VTERM_MAX_CHARS_PER_CELL slots (a base character
          plus five combining marks): the loop over cell.chars[] has no
          upper bound and libvterm leaves the array unterminated when full, so
          it reads past the array and appends out-of-bounds values to a
          buffer sized for only VTERM_MAX_CHARS_PER_CELL characters.
Solution: Bound the loop with i < VTERM_MAX_CHARS_PER_CELL, mirroring
          the loop in handle_pushline() (Christian Brabandt).

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/terminal.c		diff \| blob \| blame \| history
src/testdir/samples/combining_chars.txt	[new file with mode: 0644]	blob
src/testdir/test_terminal3.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history