patch 9.2.0271: buffer underflow in vim_fgets()

author Koda Reef <kodareef5@gmail.com>

Sun, 29 Mar 2026 15:19:49 +0000 (15:19 +0000)

committer Christian Brabandt <cb@256bit.org>

Sun, 29 Mar 2026 15:30:11 +0000 (15:30 +0000)
author Koda Reef <kodareef5@gmail.com>
Sun, 29 Mar 2026 15:19:49 +0000 (15:19 +0000)
committer Christian Brabandt <cb@256bit.org>
Sun, 29 Mar 2026 15:30:11 +0000 (15:30 +0000)
diff --git a/src/fileio.c b/src/fileio.c

index e057b78adbc6fe9f9d5aab80cd7dc7c98d2e560e..975dc310e07c9c6a4b41535ff2a0d6b0b54445cc 100644 (file)
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -3833,6 +3833,14 @@ vim_fgets(char_u *buf, int size, FILE *fp)
  #define FGETS_SIZE 200
      char       tbuf[FGETS_SIZE];
  
+    // safety check
+    if (size < 2)
+    {
+       if (size == 1)
+           buf[0] = NUL;
+       return TRUE;
+    }
+
      buf[size - 2] = NUL;
      eof = fgets((char *)buf, size, fp);
      if (buf[size - 2] != NUL && buf[size - 2] != '\n')
diff --git a/src/testdir/test_viminfo.vim b/src/testdir/test_viminfo.vim

index e3767e9a2b9af094564b45dc0acdd945db89c85b..ff79265f8e0717ae6f51f84443dacce3bb808c64 100644 (file)
--- a/src/testdir/test_viminfo.vim
+++ b/src/testdir/test_viminfo.vim
@@ -1351,4 +1351,24 @@ func Test_viminfo_global_var()
    let &viminfo = _viminfo
  endfunc
  
+func Test_viminfo_len_one()
+  let _viminfofile = &viminfofile
+  let &viminfofile=''
+  let viminfo_file = tempname()
+  call histadd('cmd', '" TEST')
+  defer delete(viminfo_file)
+
+  " Craft a viminfo entry with ^V1 length prefix (len == 1)
+  call writefile([
+      \ '*encoding=utf-8',
+      \ ':' .. "\x161" .. 'X',
+      \ ], viminfo_file, 'b')
+
+  " Should not crash or cause memory errors
+  exe 'rviminfo! ' .. viminfo_file
+  call assert_equal('" TEST', histget(':', -1))
+
+  let &viminfofile = _viminfofile
+endfunc
+
  " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c

index 24341528f4437a55e67c9528a62e1f58c5844a6a..6c60c9dc23868bf0054c4a662c172297d8363703 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    271,
  /**/
      270,
  /**/
diff --git a/src/viminfo.c b/src/viminfo.c

index 7de591f1be0ec5d69f28a2b92ff1634f89a87ee5..9b60ec59457b4a4208ea210b97fd6d41e025c224 100644 (file)
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -265,7 +265,7 @@ viminfo_readstring(
      if (virp->vir_line[off] == Ctrl_V && vim_isdigit(virp->vir_line[off + 1]))
      {
         len = atol((char *)virp->vir_line + off + 1);
-       if (len > 0 && len < 1000000)
+       if (len > 1 && len < 1000000)
             retval = lalloc(len, TRUE);
         if (retval == NULL)
         {
author	Koda Reef <kodareef5@gmail.com>
	Sun, 29 Mar 2026 15:19:49 +0000 (15:19 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Sun, 29 Mar 2026 15:30:11 +0000 (15:30 +0000)
src/fileio.c		patch \| blob \| blame \| history
src/testdir/test_viminfo.vim		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history
src/viminfo.c		patch \| blob \| blame \| history