From: Christian Brabandt <cb@256bit.org>
Date: Sat, 7 Feb 2026 15:07:32 +0000 (+0000)
Subject: patch 9.1.2139: Buffer overflow in :wlrestore command
X-Git-Tag: v9.1.2139^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2498a460e2ab4b0452acfa96a42260667c63b93b;p=thirdparty%2Fvim.git

patch 9.1.2139: Buffer overflow in :wlrestore command

Problem:  Buffer overflow in :wlrestore command, caused by assuming
          wrong buffer length in vwl_log_handler() (Seungyeon Park)
Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
          to properly truncate long messages.

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 843868c207..989c7c07b0 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52517,4 +52517,10 @@ Problem:  With 'autochdir' win_execute() can corrupt the buffer name, causing
           :write to use wrong path.
 Solution: Save and restore b_fname when 'autochdir' is active (Ingo Karkat).
 
+Patch 9.1.2139
+Problem:  Buffer overflow in :wlrestore command, caused by assuming
+          wrong buffer length in vwl_log_handler() (Seungyeon Park)
+Solution: Use correct buffer size (512 bytes) in vim_vsnprintf()
+          to properly truncate long messages.
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/testdir/test_wayland.vim b/src/testdir/test_wayland.vim
index 155172a0fa..c18b6b5d0c 100644
--- a/src/testdir/test_wayland.vim
+++ b/src/testdir/test_wayland.vim
@@ -614,4 +614,9 @@ func Test_wayland_handle_large_data()
   call assert_equal(l:contents, system('wl-paste -n -t TEXT'))
 endfunc
 
+" Test for heap buffer overflow in wayland log handler
+func Test_wayland_protocol_error_overflow()
+  exe "wlrestore " .. repeat('X', 4096)
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 0a395c50ec..a892d87c78 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2139,
 /**/
     2138,
 /**/
diff --git a/src/wayland.c b/src/wayland.c
index 4db13c4c07..6461337aab 100644
--- a/src/wayland.c
+++ b/src/wayland.c
@@ -234,7 +234,7 @@ vwl_log_handler(const char *fmt, va_list args)
 	return;
 
     vim_strncpy((char_u*)buf, (char_u*)prefix, len);
-    vim_vsnprintf(buf + len, 4096 - len, fmt, args);
+    vim_vsnprintf(buf + len, 512 - len, fmt, args);
 
     // Remove newline that libwayland puts
     buf[STRLEN(buf) - 1] = NUL;