Hirohito Higashi [Thu, 18 Jun 2026 19:31:18 +0000 (19:31 +0000)]
patch 9.2.0676: MS-Windows: cannot switch to a buffer with '%' in its name
Problem: On MS-Windows it is not possible to switch to a buffer by name
with ":b" (including via command-line completion) when the
buffer name contains '%'.
Solution: Do not escape '%' and '#' for the ":buffer" command on
MS-Windows. Since ":buffer" has no EX_XFILE these are not
expanded, and escaping them as "\%"/"\#" makes buffer name
matching fail when '%'/'#' is in 'isfname' (the backslash is
treated as a path separator).
fixes: #20529
closes: #20548
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: configure: clears dynamic ruby linker flags, after setting those
Solution: Make configure keep Ruby linker arguments when Ruby support is
built with --enable-rubyinterp=dynamic. The dynamic Ruby
branch clears RUBY_LIBS before setting DYNAMIC_RUBY, so add librubyarg
after that branch instead of before it (Vladimír Marek).
related: #17906
closes: #20558
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Thu, 18 Jun 2026 19:12:40 +0000 (19:12 +0000)]
runtime(tar): fix lz4 extraction on non-Linux systems
Patch 9.2.0306 fixed malformed lz4 extraction commands by using "tar -I lz4"
on Linux and leaving non-Linux tar implementations to auto-detect lz4 input.
That still fails on systems where tar does not support either -I lz4 or
automatic lz4 decompression, such as Solaris /usr/bin/tar.
Keep the existing Linux path using GNU tar's "-I lz4" support. For non-Linux
systems, use lz4 explicitly to decompress the archive to stdout and feed the
resulting tar stream to the configured tar extraction command. This is the
same style tar.vim already used for lz4 archives before patch 9.2.0306.
Follow-up for #19925
closes: #20555
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Test_recover_corrupted_swap_file1() copies prebuilt corrupt swap samples
before recovering them. In an out-of-source-tree build those sample
files may be symlinks into the source tree. filecopy() preserves
symlinks, so the copied target may remain a symlink. Recovery opens
swap files with O_NOFOLLOW, so that copied symlink cannot be opened.
Read the sample as a blob and write it back so the recovery target is a
real swap file.
closes: #20561
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Thu, 18 Jun 2026 18:55:52 +0000 (18:55 +0000)]
patch 9.2.0672: corrupted text property causes internal error
Problem: Restoring a crafted/corrupted persistent-undo file and then
inspecting the line (e.g. prop_list()) reports the bad text
property data as an internal error. On builds with
ABORT_ON_INTERNAL_ERROR (the sanitizer CI job) this aborts the
process even inside assert_fails(), so the test added in
9.2.0670 fails deterministically.
Solution: The prop data only comes from an untrusted persistent-undo
file, so detecting it is input validation, not an internal
bug. Report it with a normal error (emsg) instead of iemsg,
matching how other corrupted persistent files are reported.
The out-of-bounds read is still prevented.
closes: #20559
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Problem: [security]: possible out-of-bounds read with sodium encrypted
files (cipher-creator)
Solution: Verify that there is enough space before calling
crypto_secretstream_xchacha20poly1305_init_pull()
Hirohito Higashi [Wed, 17 Jun 2026 19:37:28 +0000 (19:37 +0000)]
patch 9.2.0666: Terminal-Normal mode does not color empty lines with a background color
Problem: In Terminal-Normal mode an empty line that was erased with a
background color (CSI K after e.g. CSI 100m) is shown without
that color, although it is colored while the job is running.
Solution: Reset the empty line's background attribute only when the fill
is the terminal's default color, so that a Visual selection
still shows on a plain empty line, while an explicitly set
background color is kept.
closes: #20547
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" injects arbitrary Ex commands when the file is
deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
(Yasuhiro Matsumoto).
patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
Problem: [security]: a crafted spell file with a self-referential
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :spelldump
(cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do (Yasuhiro Matsumoto)
patch 9.2.0661: unintended wipe of Vim's temp dir, causes errors
Problem: Unintended wipe of Vim's temp dir, causes errors and may also
leak temporary data (David Leadbeater)
Solution: In vim_tempname() verify the temp directory still exists (via
its open file descriptor) and re-create it if it was removed.
patch 9.2.0658: xxd: signed integer overflow in huntype()
Problem: malformed revert input with an overlong address column causes
signed integer overflow (UB) in huntype().
Solution: perform the offset/bit shifts through unsigned types
related: neovim/neovim#40246
Supported by AI
Co-Authored-by: Justin M. Keyes <justinkz@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Tue, 16 Jun 2026 19:11:38 +0000 (19:11 +0000)]
patch 9.2.0656: completion: using wrong tolower() in smartcase filtering
Problem: ins_compl_equal_sc() uses MB_TOLOWER() on single bytes, but
it indexes raw bytes, not decoded characters (after v9.1.0651).
Solution: Use TOLOWER_LOC(), matching what STRNICMP()/ins_compl_equal()
does (glephunter).
closes: #20535
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0654: GTK4: using uninitialised colors in gui_mch_init()
Problem: GTK4: using uninitialised colors in gui_mch_init()
Solution: Use g_new0() instead of g_new() (Yasuhiro Matsumoto)
gui.fgcolor/bgcolor/spcolor were allocated with g_new(), leaving the
GdkRGBA fields uninitialised. On widget realize/map GTK runs
gui_mch_new_colors() -> surface_fill_bg() before gui_mch_set_bg_color()
assigns them, so cairo_set_source_rgba() branched on uninitialised
values (reported by valgrind). Use g_new0() to zero-initialise.
closes: #20538
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0653: [security]: out-of-bounds write in tree_count_words()
Problem: [security]: a crafted spell file can drive tree_count_words()
past the end of its MAXWLEN-sized depth arrays; the descent
loop has no depth bound.
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do; apply the same guard to sug_filltree().
Csaba Hoch [Mon, 15 Jun 2026 18:59:22 +0000 (18:59 +0000)]
runtime(erlang): Optimize operators and bitstring types
This commit makes processing the erlangOperator and erlangBitType syntax
items faster.
- erlangOperator changes:
- Vim now parses erlangOperator faster because we define the operators
individually.
- The order of operators in erlangOperator had to be changed to make
the edge cases work the same as before (for example
erlangEqualsBinary).
- erlangBitType changes:
- Vim now parses erlangBitType faster because:
1. Now the long `\%(integer\|float\|...\)` sections are preceded by
"beginning of word" patterns (`\<`).
2. Now we use the old regexp engine (`\%#=1`).
Previously when an Erlang file contained long lines with erlangOperator
or erlangBitType patterns near the end, redrawing these lines was slow,
and typing at the end of the line was also slow.
For example, redrawing a 1787 characters long test line is now roughly
six times faster.
fixes: #5593
closes: #20524
Signed-off-by: Csaba Hoch <csaba.hoch@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0652: popup: stale kitty image after clipwindow scrolls out of view
Problem: a clipwindow popup containing an image leaves a stale image on
the terminal after it scrolls out of view, with the kitty
graphics protocol.
Solution: Delete the kitty placement and the GTK4 image and force a
redraw before hiding, mirroring the textprop scroll-out path
(Yasuhiro Matsumoto).
closes: #20525
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Mon, 15 Jun 2026 18:49:47 +0000 (18:49 +0000)]
patch 9.2.0651: completion: 'smartcase' doesn't work with 'longest'
Problem: With 'longest', 'smartcase' is ignored when filtering matches:
"inp" offers only "InputEvent", and an uppercase pattern gives
different results for CTRL-N and CTRL-P.
Solution: 'longest' rewrites the leader with the common prefix, picking
up uppercase the user never typed. Judge case from the typed
text instead, and match the auto-inserted part of the leader
case-insensitively so CTRL-N and CTRL-P give the same result.
(glepnir)
related: neovim/neovim#40259
closes: #20533
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Mon, 15 Jun 2026 18:20:15 +0000 (18:20 +0000)]
patch 9.2.0650: Vim aborts at startup when built with the example -O2 CFLAGS
Problem: Building with an optimizing example CFLAGS line in src/Makefile
(which bypasses configure) aborts Vim at startup with a buffer
overflow, because the compiler then defaults _FORTIFY_SOURCE to
a level >= 2 (user202729)
Solution: Define FORTIFY_CFLAGS with -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
and reference it from the optimizing example CFLAGS lines, the
same pin configure already applies; at higher levels the check
false-positives on the "x[1] but actually longer" struct-hack
arrays.
fixes: #20526
closes: #20530
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0649: filetype: tf files sometimes incorrectly recognized
Problem: filetype: tf files sometimes incorrectly recognized
(Christian Robinson)
Solution: Add support for g;filetype_tf variable to override detection,
re-write the filetype detection loop
Problem: MS-Windows: Compile warnings
Solution: Add type casts
fixes the following compile warnings:
ex_cmds.c(4934): warning C4267: '+=': conversion from 'size_t' to
'colnr_T', possible loss of data
ex_cmds.c(4868): warning C4267: 'initializing': conversion from 'size_t'
to 'int', possible loss of data
glepnir [Sun, 14 Jun 2026 15:53:39 +0000 (15:53 +0000)]
patch 9.2.0647: matchfuzzypos() false exact match for long equal-length candidates
Problem: When a candidate gets truncated to MATCH_MAX_LEN and ends up
the same length as the needle, the n == m shortcut would
return SCORE_MAX with positions 0..n-1, even if the strings
actually differ.
Solution: Only use the shortcut if the truncated strings are truly equal.
Otherwise, fall back to regular matching.
zeertzjq [Sun, 14 Jun 2026 15:39:26 +0000 (15:39 +0000)]
patch 9.2.0645: Composing chars no longer accepted in end-id abbr
Problem: Composing chars are no longer accepted in end-id abbreviation
(after 9.2.0629).
Solution: Unescape all chars using vim_unescape_csi() instead of using
mb_unescape() on individual chars, so that mb_ptr2len() and
MB_PTR_ADV() can still be used.
closes: #20514
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0642: statusline: buffer overflow with item groups
Problem: statusline: buffer overflow with item groups
Solution: Fix the issues (see below) (Sébastien Hoffmann)
Fix various buffer overflow bugs (examples assume MAXPATHL==4096):
- truncated item groups where minwid>maxwid:
vim --clean +"set ls=2 stl=%<%{%repeat('x',4096-11)%}%50.5(12🙂345%)"
leads to fillchars spilling over the end of the group/buffer while trying to
compensate for truncating at a multicell character because minwid<=maxwid is assumed
- left-aligned item groups with multi-byte fillchar:
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%<%{%repeat('x',4096-3)%}%-2(X%)"
wrongly leads to padding at the end of the statusline and `p-out==4097`
because the bounds check assumes a 1-byte fillchar
- right-aligned item groups with 1-byte fillchar:
vim --clean +"set ls=2 stl=%<%{%repeat('x',4096-4)%}%4(XY%)"
leads to "YX" instead of "XY" at the end of the statusline
because `memmove` is done before adjusting the offset
- right-aligned item groups with multi-byte fillchar:
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%5(X%)"
leads to "∙∙∙∙<e2>", i.e. the fillchar is being written over the group contents
and eventually being overwritten itself at the second byte with the final NUL,
because the padding counter assumes a 1-byte fillchar; to crash vim,
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%<%{%repeat('x',4096-149)%}%50(X%)"
related: neovim/neovim#40219
closes: #20522
Signed-off-by: Sébastien Hoffmann <contact@shoffmann.dev> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0641: GTK4: crash in gui_mch_menu_hidden()
Problem: GTK4: crash in gui_mch_menu_hidden()
Solution: Skip the sentinel like gui_mch_menu_grey() does
(Yasuhiro Matsumoto).
Menu items use the (GtkWidget *)1 sentinel as their id, but
gui_mch_menu_hidden() only skipped NULL ids and passed the sentinel
to gtk_widget_get_visible(), causing a SEGV.
closes: #20523
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sat, 13 Jun 2026 19:39:54 +0000 (19:39 +0000)]
patch 9.2.0640: the "%" command jumps to parens and braces inside comments
Problem: The "%" command jumps to parens and braces inside comments,
unlike the "=" operator (cindent), which ignores them.
Solution: When 'comments' defines C-style comments and "%" is not in
'cpoptions', skip matching parens inside such comments, except
when the cursor is inside a comment so a match there can still
be found.
fixes: #20329
related: #20111
closes: #20491
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Sat, 13 Jun 2026 19:32:44 +0000 (19:32 +0000)]
patch 9.2.0639: gq with 'formatprg' fails on an empty buffer
Problem: gq (and other filters) on an empty buffer fail with
"E20: Mark not set": when the filter produces no output,
do_filter() still subtracts the line count from '[ and '],
pushing '] to line 0.
Solution: when the filter produces no output, put '[ and '] on a valid
line instead of subtracting past line 1 (glepnir).
related: neovim/neovim#30593
closes: #19061
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0638: cannot return matches containing spaces from a custom completion
Problem: A completion function for a user command cannot return a
match containing whitespace; the argument splitter breaks it
into multiple arguments.
Solution: Add -completeopt=escape to escape spaces, tabs and
backslashes in inserted matches.
When a user command uses -complete=custom or -complete=customlist, the
completion function may return matches containing spaces or backslashes.
Without escaping, those characters end up as unescaped text in the
command line and are split into separate arguments.
The new -completeopt=escape attribute makes Vim escape spaces and
backslashes when the selected match is inserted into the command line,
while keeping the unescaped form for the popup menu, wildmenu and
getcompletion(). ArgLead passed to the completion function is also
unescaped, so the function sees the logical argument.
closes: #20239
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0637: sixel: anti-aliased RGBA images render with visible outline
Problem: Only alpha == 0 was treated as transparent, so partly-
transparent edge pixels rendered opaque and outlined the
image.
Solution: Treat alpha < 128 as transparent.
Emit pixels with alpha < 128 as the transparent palette index.
Rendering them opaque showed the anti-aliased fringe of an RGBA
image as bright dots.
closes: #20477
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0636: popup image: stale pixels under RGBA animation frames
Problem: Sixel P2=1 transparency and cairo OPERATOR_OVER composite onto
the previous emit, so swapping RGBA frames of the same size
leaves stale pixels under the new frame's transparent areas.
Solution: Track pixel swaps with w_popup_image_px_dirty and repaint the
cells under the image before re-emitting. In a terminal the
repaint is wrapped in a DECSET 2026 synchronized update so
the swap does not flicker; terminals without mode 2026 ignore
it (Yasuhiro Matsumoto)
closes: #20478
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Aliaksei Budavei [Sat, 13 Jun 2026 18:45:58 +0000 (18:45 +0000)]
runtime(syntax-tests): Rename test files on demand
The current scheme for naming syntax plugin tests expects
a filetype name prefix and an associated filename extension.
However, many configurational filetypes, e.g. Gitignore,
lack any established filename extension. Factor out the
available file-renaming routine and offer a convenience
function to work around this limitation.
For example, put in a VIM_TEST_SETUP aware context:
------------------------------------------------------------
call DeferRenamingTestFileTo('.gitignore')
------------------------------------------------------------
closes: #20482
Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sat, 13 Jun 2026 18:41:28 +0000 (18:41 +0000)]
patch 9.2.0635: checking the syntax contains/cluster list is slow
Problem: Deciding whether a group is in a "contains"/cluster list scans
the list and expands clusters on every check, which is slow for
syntaxes with large lists (e.g. plugins such as netrw).
Solution: Resolve each list once into a sorted, cluster-expanded set of
group IDs and use a binary search; cache it per syntax block and
drop the cache when syntax definitions change (Hirohito Higashi).
closes: #20490
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0633: MS-Windows: No support for kitty graphics support in terminal
Problem: MS-Windows: No support for kitty graphics support in terminal
Solution: Add mch_kitty_probe() to os_win32.c, reading the reply from
the console input handle in VT input mode, with a short grace
period after the DA1 answer because ConPTY answers DA1 by
itself. The response parsing is shared with the UNIX probe via
the new kitty_probe_parse() in kitty.c. (Yasuhiro Matsumoto).
closes: #20497
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
dependabot[bot] [Sat, 13 Jun 2026 18:08:25 +0000 (18:08 +0000)]
CI: Bump the github-actions group across 1 directory with 3 updates
Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [codecov/codecov-action](https://github.com/codecov/codecov-action) and [github/codeql-action](https://github.com/github/codeql-action).
Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6.0.2...v6.0.3)
Updates `codecov/codecov-action` from 6 to 7.0.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v6...v7)
Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v4.36.0...v4.36.2)
Foxe Chen [Sat, 13 Jun 2026 17:49:03 +0000 (17:49 +0000)]
patch 9.2.0632: GTK4: no support for hardware-accelerated rendering
Problem: The GTK4 GUI renders via a Cairo backing surface, which may be
slow for large windows and high-resolution displays.
Solution: Add the --enable-gtk4-hwaccel configure option, which
switches the GTK4 GUI to GtkSnapshot-based rendering. Popup
images use the new GDK image backend which uploads textures to
the GPU (Foxe Chen).
closes: #20437
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: popup image: wrong overlap layering, kitty laggy
Solution: Make the end-of-redraw re-emit pass GUI-only, handle zindex
correctly (Yasuhiro Matsumoto).
Emitting every popup image again at the end of each redraw painted lower
zindex images over higher popups and re-sent the multi-MB kitty sequence
on every cursor movement. Make update_popup_images() GUI-only; in
terminal mode the zindex-ordered emit in update_popups() suffices, with
ScreenLines invalidated for cells a higher popup draws over an emitted
sixel image. Kitty placements persist and are now layered with z=zindex,
so retransmission is skipped while the placement is still current.
closes: #20474
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Doug Kearns [Sat, 13 Jun 2026 15:29:42 +0000 (15:29 +0000)]
patch 9.2.0627: :vim9cmd source handles all scripts as Vim9 script
Problem: Vim9: Commands modified by :vim9cmd source all scripts as Vim9
script.
Solution: Only source buffer lines as Vim9 via the :vim9cmd modifier.
When sourcing a file, respect its script type.
This caused `:vim9cmd gui` to launch the GUI without menus as the legacy
script menus.vim file failed to load when sourced as Vim9 script.
closes: #20452
Signed-off-by: Doug Kearns <dougkearns@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Doug Kearns [Sat, 13 Jun 2026 14:57:31 +0000 (14:57 +0000)]
patch 9.2.0626: Vim9: illegal characters allowed in dict key names with dot notation
Problem: In a Vim9 script, colons and hashes are accepted in a dict key
name when using dot notation.
Solution: Restrict dict key names used with dot notation to alphanumeric
and underscore characters, as documented (Doug Kearns).
closes: #20507
Signed-off-by: Doug Kearns <dougkearns@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0624: C-N/C-P cannot be mapped in complete() completion
Problem: Keys valid in CTRL-X mode are never mapped while insert
completion is active, so <C-N> and <C-P> cannot be remapped
for completion started by complete().
Solution: Do not disable mappings in CTRL_X_EVAL mode. In this mode a
mapping cannot interfere with selecting the completion
method, which is what the no-mapping rule exists for.
related: #6440
related: #16880
closes: #20489
Signed-off-by: Thomas M Kehrenberg <tmke8@posteo.net> Signed-off-by: Christian Brabandt <cb@256bit.org>
Devon Kirk [Fri, 12 Jun 2026 10:10:50 +0000 (10:10 +0000)]
patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Problem: possible integer overflow in spellfile tree bounds check
Solution: Rewrite the overflow check (Devon Krik)
The check 'startidx + len >= maxidx' uses signed int addition and can
overflow when startidx approaches INT_MAX. After overflow the wrapped
result bypasses the guard, allowing the subsequent loop to write
idxs[startidx + i] out of bounds on the heap.
Replace the addition with a safe subtractive check that maintains the
original >= semantics: len >= maxidx - startidx cannot overflow because
both operands are valid indices within [0, maxidx].
This fixes CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based
Buffer Overflow).
closes: #20483
Signed-off-by: Devon Kirk <hyder365@users.noreply.github.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0622: str2blob() does not work with wide UTF-16 encoding
Problem: str2blob() does not work with wide UTF-16 encoding
Solution: Use iconv() and convert the UTF-16 and similar encodings
directly (Yasuhiro Matsumoto)
str2blob() routed every target encoding through convert_string(), which
treats all Unicode encodings as utf-8 and therefore left the bytes
unconverted. As a result str2blob(['Hello'], {'encoding': 'utf-16le'})
returned 0z48656C6C6F instead of 0z480065006C006C006F00, breaking the
round-trip with blob2str(). Add the same wide-encoding handling blob2str()
uses: join the list items with a newline, convert the whole string at once
with the endianness-preserving encoding name, and append the raw bytes.
closes: #20466
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Doug Kearns [Fri, 12 Jun 2026 09:28:05 +0000 (09:28 +0000)]
runtime(vim): Update base syntax, simplify function call matching
- Explicitly match the dot accessor
- Exclude the qualifier when matching qualified function calls
The dot accessor lookbehind on builtin function calls was slow, matching
across expression based dictionary accessors was visually inconsistent,
and it's arguably more semantically correct.
closes: #20481
Signed-off-by: Doug Kearns <dougkearns@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Cirrus CI shut down on 2026-06-01, so its badge and .cirrus.yml no longer
work. The Coverity Scan project for Vim is also gone (the badge and project
page return 404). Remove both badges and their related configuration.
closes: #20431
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: unmarking a regular file when there are directories in the markings
list also removes the 2match highlight from those directories.
Solution: correctly rebuild the match pattern from the remaining markings,
using the right regex trailer for each entry in the list.
closes: #20461
Signed-off-by: J. Paulo Seibt <jpseibt@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0619: integer overflow in popup image size validation
Problem: integer overflow in popup image size validation
(after v9.2.0612)
Solution: Compute the expected size using a 64-bit varnumber_T
(Yasuhiro Matsumoto).
The image size validation computed iw * ih * 4 in a 32-bit long, which
overflows on MS-Windows (LLP64) and can wrap to a value that matches a
short blob, so the validation passes and the pixels are later read out
of bounds. Compute the expected size in a 64-bit varnumber_T.
closes: #20463
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
Problem: use-after-free in popup_getoptions() on dict_add() failure
Solution: Set b to NULL (Yasuhiro Matsumoto).
When dict_add() failed, dictitem_free() unref'd and freed the blob, but
the error cleanup then read the freed blob's refcount and could free it
again. Clear the pointer after dictitem_free().
closes: #20464
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
K.Takata [Wed, 10 Jun 2026 20:46:21 +0000 (20:46 +0000)]
patch 9.2.0617: GvimExt: does not support different runtime dirs
Problem: GvimExt: does not support different runtime dir types
Solution: Add support for all Vim supported runtime directories
(Ken Takata)
Vim itself supports certain runtime directory structures.
However, GvimExt supports only one type of them.
Check three types of runtime directory structures.
1. gvim.exe is in runtimedir.
2. gvim.exe is in the parent of runtimedir.
runtimedir is "vimXX".
3. gvim.exe is in the parent of runtimedir.
runtimedir is "runtime".
patch 9.2.0616: GTK4: use-after-free on clipboard read timeout
Problem: clip_mch_request_selection() stack-allocates ClipReadData
and waits up to 3 seconds for the async callback to fire.
If the timeout expires before the callback runs, the
function returns and the stack frame is gone, but the async
read is still pending; when the callback eventually fires
it a use-after-free.
Solution: Heap-allocate ClipReadData and add an "abandoned" flag
(Yasuhiro Matsumoto).
closes: #20467
Co-Authored-by: Claude <noreply@anthropic.com> Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0615: sixel encoder drops pixels on the right edge of shapes
Problem: sixel encoder drops pixels on the right edge of shapes
(after v9.2.0612)
Solution: Update xmax only when the new x is greater, mirroring the
existing xmin handling (Yasuhiro Matsumoto)
The per-colour xmax was updated with an unconditional assignment while
filling the band row by row, so it held the right edge of the last row
containing the colour instead of the maximum over all six rows.
Compare before updating, like xmin.
closes: #20468
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Background redraws under an opacity popup update ScreenLines[]
but suppress terminal output, so the terminal no longer
matches ScreenLines[] for those cells. Later draws skipped
them as "unchanged", leaving parts of the old popup on screen
after popup_settext() or popup_clear().
Solution: Track cells whose output was suppressed under an opacity popup
and force their next output.
fixes: #20459
closes: #20471
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0612: Cannot render images in popup windows
Problem: Cannot render images in popup windows
Solution: Add support for rendering images using the kitty, sixel, cairo
and GDI backend (Yasuhiro Matsumoto).
Add an "image" attribute to popup_create()/popup_setoptions() that
renders a raw RGB/RGBA pixel buffer inside a popup window. Terminal
backends emit the buffer as DEC sixel or kitty graphics sequences; the
MS-Windows GUI uses GDI and the GTK GUI uses Cairo. The popup auto-sizes
its cell box from the image dimensions. getbgcolor() returns the current
background colour so scripts can pre-composite RGBA pixels.
closes: #20136
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Tue, 9 Jun 2026 19:45:35 +0000 (19:45 +0000)]
runtime(doc): wrong {str} length limit in matchfuzzy() docs
Problem: docs say {str} is capped at 256 and longer returns an empty list.
Solution: it's 1024, and {str} plus each candidate are just truncated to
that, not rejected; fix the text.
closes: #20453
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
K.Takata [Tue, 9 Jun 2026 19:40:52 +0000 (19:40 +0000)]
patch 9.2.0611: MS-Windows: evim.exe not working with VIMDLL
Problem: When gvim.exe is built with VIMDLL=yes, and gvim.exe is copied
to evim.exe, evim.exe didn't start in the easy mode.
Solution: Check the executable file type in addition to its filename
(Ken Takata).
closes: #20454
Signed-off-by: K.Takata <kentkt@csc.jp> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0610: cindent: closing brace in a comment affects the next line's indent
Problem: A '}' inside a // line comment changes the indentation of the
following line inside an enum or struct (rendcrx).
Solution: Stop scanning the line once a line comment is reached, so a brace
inside the comment is no longer mistaken for an unmatched brace.
fixes: #20455
closes: #20458
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0609: completion info popup cannot be scrolled with the keyboard
Problem: The info popup shown beside the insert-mode and command-line
completion menu can only be scrolled with the mouse wheel, so
the part below the visible area is unreachable when working
from the keyboard.
Solution: While the completion menu is shown, scroll the info popup with
CTRL-SHIFT-Up/Down (one line), CTRL-SHIFT-PageUp/PageDown (one
page) and CTRL-SHIFT-N/CTRL-SHIFT-P (one line). The menu stays
open and the selected item does not change.
related: #20418
fixes: #20441
closes: #20444
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Tue, 9 Jun 2026 18:58:08 +0000 (18:58 +0000)]
patch 9.2.0607: GTK4: inputdialog() does not work as expected
Problem: GTK4: inputdialog() does not work as expected
Solution: Refactor the dialog code to create a custom window instead of
using GtkAlertDialog, while at it, also makes mnemonics
work as expected (Foxe Chen).
closes: #20448
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Tue, 9 Jun 2026 18:49:31 +0000 (18:49 +0000)]
patch 9.2.0606: GTK4: does not support all clipboard formats
Problem: GTK4: GUI does not support Vim's internal specific
formats that preserve motion type and encoding. It also
doesn't support the 'html' option in 'clipboard'.
Solution: Refactor code and support for all clipboard formats
(Foxe Chen).
closes: #20445
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
thinca [Tue, 9 Jun 2026 18:39:52 +0000 (18:39 +0000)]
patch 9.2.0605: tests: Test_screenpos() is flaky in GUI
Problem: Test_screenpos() fails intermittently in the GUI testgui CI
job with "Expected {'row': 22} but got {'row': 23}". In the
GUI, the window height reported by getwininfo() before the
final redraw can be stale, so the cached wininfo.height does
not match the actual window height when the assertion runs.
Solution: Use winheight(winid) at assertion time so the height reflects
the window state after the redraw.
closes: #20457
Signed-off-by: thinca <thinca@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Shad [Sun, 7 Jun 2026 19:22:33 +0000 (19:22 +0000)]
patch 9.2.0602: popup: No opacity when background not set for Popup group
Problem: popup: When the Popup highlight group has no guibg/ctermbg the
popup becomes fully transparent.
Solution: Create an entry if no popup_attr exists (highlight group
cleared for example), and test if popup_attr exists but
without guibg/ctermbg attributes to fallaback to normal bg
color.
glepnir [Sun, 7 Jun 2026 18:42:50 +0000 (18:42 +0000)]
patch 9.2.0601: matchfuzzypos() returns garbage positions for long candidates
Problem: A needle that only matches past char 1024 gives an INT_MIN + 1
score with unset positions, e.g.
matchfuzzypos([repeat('a',1024)..'z'], 'az').
Solution: Drop the candidate when match_positions() returns SCORE_MIN.
closes: #20435
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
projects / thirdparty / vim.git / log
