git.ipfire.org Git - thirdparty/vim.git/commit

author	Yee Cheng Chin <ychin.git@gmail.com>
	Sun, 20 Jul 2025 07:19:13 +0000 (09:19 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Sun, 20 Jul 2025 07:19:13 +0000 (09:19 +0200)
commit	c8b99e2d139cf72c567892e44939f2719f703fa8
tree	df6fa699ed92726574ca8b68352cfe54955464a7	tree \| snapshot
parent	0e40501a9d1ff9bd06f8a829a8a255a0964edb3c	commit \| diff

patch 9.1.1567: crash when using inline diff mode

Problem:  Crash when using inline diff mode
          (Ilya Grigoriev)
Solution: Set tp_diffbuf to NULL when skipping a diff block
          (Yee Cheng Chin).

Fix an array out of bounds crash when using diffopt+=inline:char when 4
or more buffers are being diff'ed. This happens when one of the blocks
is empty. The inline highlight logic skips using that buffer's block,
but when another buffer is used later and calls diff_read() to merge the
diff blocks together, it could erroneously consider the empty block's
diff info which has not been initialized, leaving to diff numbers that
are invalid. Later on the diff num is used without bounds checking which
leads to the crash.

Fix this by making sure to unset tp_diffbuf to NULL when we skip a
block, so diff_read() will not consider this buffer to be used within
inline diff. Also, add more bounds checking just to be safe.

closes: #17805

Signed-off-by: Yee Cheng Chin <ychin.git@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/diff.c		diff \| blob \| blame \| history
src/testdir/dumps/Test_diff_inline_multibuffer_empty_block_01.dump	[new file with mode: 0644]	blob
src/testdir/test_diffmode.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history