From: Koda Reef <kodareef5@gmail.com>
Date: Sun, 29 Mar 2026 15:19:49 +0000 (+0000)
Subject: patch 9.2.0271: buffer underflow in vim_fgets()
X-Git-Tag: v9.2.0271^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c0f8000e152ceb02619249f5ebf06d6ffe9c8d8;p=thirdparty%2Fvim.git

patch 9.2.0271: buffer underflow in vim_fgets()

Problem:  buffer underflow in vim_fgets()
Solution: Ensure size is always greater than 1
          (Koda Reef)

Signed-off-by: Koda Reef <kodareef5@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/fileio.c b/src/fileio.c
index e057b78adb..975dc310e0 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -3833,6 +3833,14 @@ vim_fgets(char_u *buf, int size, FILE *fp)
 #define FGETS_SIZE 200
     char	tbuf[FGETS_SIZE];
 
+    // safety check
+    if (size < 2)
+    {
+	if (size == 1)
+	    buf[0] = NUL;
+	return TRUE;
+    }
+
     buf[size - 2] = NUL;
     eof = fgets((char *)buf, size, fp);
     if (buf[size - 2] != NUL && buf[size - 2] != '\n')
diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim
index e3767e9a2b..ff79265f8e 100644
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -1351,4 +1351,24 @@ func Test_viminfo_global_var()
   let &viminfo = _viminfo
 endfunc
 
+func Test_viminfo_len_one()
+  let _viminfofile = &viminfofile
+  let &viminfofile=''
+  let viminfo_file = tempname()
+  call histadd('cmd', '" TEST')
+  defer delete(viminfo_file)
+
+  " Craft a viminfo entry with ^V1 length prefix (len == 1)
+  call writefile([
+      \ '*encoding=utf-8',
+      \ ':' .. "\x161" .. 'X',
+      \ ], viminfo_file, 'b')
+
+  " Should not crash or cause memory errors
+  exe 'rviminfo! ' .. viminfo_file
+  call assert_equal('" TEST', histget(':', -1))
+
+  let &viminfofile = _viminfofile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 24341528f4..6c60c9dc23 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    271,
 /**/
     270,
 /**/
diff --git a/src/viminfo.c b/src/viminfo.c
index 7de591f1be..9b60ec5945 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -265,7 +265,7 @@ viminfo_readstring(
     if (virp->vir_line[off] == Ctrl_V && vim_isdigit(virp->vir_line[off + 1]))
     {
 	len = atol((char *)virp->vir_line + off + 1);
-	if (len > 0 && len < 1000000)
+	if (len > 1 && len < 1000000)
 	    retval = lalloc(len, TRUE);
 	if (retval == NULL)
 	{