From: Christian Brabandt <cb@256bit.org>
Date: Sun, 21 Jun 2026 18:24:30 +0000 (+0000)
Subject: patch 9.2.0697: possible overflow when parsing CSI keys
X-Git-Tag: v9.2.0697^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=156bcfccb05d082af8e4ec5023c33cfab7d5dae9;p=thirdparty%2Fvim.git

patch 9.2.0697: possible overflow when parsing CSI keys

Problem:  possible overflow when parsing CSI keys (cipher-creator)
Solution: Reject key codes above U+10FFFF and enlarge the key buffer,
          guard the CSI argument accumulator against overflow

closes: #20556

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/term.c b/src/term.c
index dcb9c92442..b789f39248 100644
--- a/src/term.c
+++ b/src/term.c
@@ -5443,9 +5443,14 @@ put_key_modifiers_in_typebuf(
     modifiers = may_remove_shift_modifier(modifiers, key);
 
     // Produce modifiers with K_SPECIAL KS_MODIFIER {mod}
-    char_u string[MAX_KEY_CODE_LEN + 1];
+    // worst-case: 3-byte modifier + 4 byte multi-char key + NUL
+    char_u string[MAX_KEY_CODE_LEN + 2];
     int new_slen = modifiers2keycode(modifiers, &key, string);
 
+    // reject overlong key that would overflow string
+    if (key > 0x10FFFF)
+	return -1;
+
     // Add the bytes for the key.
     new_slen += add_key_to_buf(key, string + new_slen);
 
@@ -5713,7 +5718,9 @@ handle_csi(
 			return -1;
 		    if (!VIM_ISDIGIT(*ap))
 			break;
-		    arg[argc] = arg[argc] * 10 + (*ap - '0');
+		    // avoid overflow
+		    if (arg[argc] <= (INT_MAX - 9) / 10)
+			arg[argc] = arg[argc] * 10 + (*ap - '0');
 		    ++ap;
 		}
 		++argc;
diff --git a/src/version.c b/src/version.c
index 5fca1bd8cf..f8268b842e 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    697,
 /**/
     696,
 /**/