From: Christian Brabandt <cb@256bit.org>
Date: Tue, 24 Feb 2026 20:29:20 +0000 (+0000)
Subject: patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()
X-Git-Tag: v9.2.0078^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e5b9e31cb7484ad156fba995fdce3c9b075b5fd;p=thirdparty%2Fvim.git

patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

Problem:  A stack-buffer-overflow occurs when rendering a statusline
          with a multi-byte fill character on a very wide terminal.
          The size check in build_stl_str_hl() uses the cell width
          rather than the byte length, allowing the subsequent fill
          loop to write beyond the 4096-byte MAXPATHL buffer
          (ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
          the fill character (using MB_CHAR2LEN).

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/buffer.c b/src/buffer.c
index 5a639fcf58..d96f2fdc1a 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
 	}
 	width = maxwidth;
     }
-    else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+    else if (width < maxwidth &&
+	    outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
     {
 	// Find how many separators there are, which we will use when
 	// figuring out how many groups there are.
diff --git a/src/version.c b/src/version.c
index 360e31edfb..7abc134fc5 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    78,
 /**/
     77,
 /**/