From: Christian Brabandt <cb@256bit.org>
Date: Wed, 18 Feb 2026 21:49:58 +0000 (+0000)
Subject: patch 9.2.0023: fix integer overflow in ml_append_int() for long lines
X-Git-Tag: v9.2.0023^0
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ece393844a4433e4dc69cde6fe88f99ed7db100;p=thirdparty%2Fvim.git

patch 9.2.0023: fix integer overflow in ml_append_int() for long lines

Problem:  ml_append_int() crashes when appending lines near MAXCOL
          length due to signed integer overflow in space_needed
          calculation.
Solution: Change 'space_needed' from int to long to handle the
          'len + INDEX_SIZE' computation without overflow. Update
          db_free comparison casts from (int) to (long) to match.

Note: supported by AI claude

related: #17935
related: #18953
related: #19332

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/memline.c b/src/memline.c
index 427b64924a..604982a901 100644
--- a/src/memline.c
+++ b/src/memline.c
@@ -2941,7 +2941,7 @@ ml_append_int(
     int		line_count;	// number of indexes in current block
     int		offset;
     int		from, to;
-    int		space_needed;	// space needed for new line
+    long	space_needed;	// space needed for new line
     int		page_size;
     int		page_count;
     int		db_idx;		// index for lnum in data block
@@ -3018,7 +3018,7 @@ ml_append_int(
  * - not appending to the last line in the file
  * insert in front of the next block.
  */
-    if ((int)dp->db_free < space_needed && db_idx == line_count - 1
+    if ((long)dp->db_free < space_needed && db_idx == line_count - 1
 					    && lnum < buf->b_ml.ml_line_count)
     {
 	/*
@@ -3041,7 +3041,7 @@ ml_append_int(
 
     ++buf->b_ml.ml_line_count;
 
-    if ((int)dp->db_free >= space_needed)	// enough room in data block
+    if ((long)dp->db_free >= space_needed)	// enough room in data block
     {
 	/*
 	 * Insert the new line in an existing data block, or in the data block
@@ -3142,7 +3142,7 @@ ml_append_int(
 		data_moved = ((dp->db_index[db_idx]) & DB_INDEX_MASK) -
 							    dp->db_txt_start;
 		total_moved = data_moved + lines_moved * INDEX_SIZE;
-		if ((int)dp->db_free + total_moved >= space_needed)
+		if ((long)dp->db_free + total_moved >= space_needed)
 		{
 		    in_left = TRUE;	// put new line in left block
 		    space_needed = total_moved;
diff --git a/src/version.c b/src/version.c
index b6d79d2cd9..965ce4b9e3 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    23,
 /**/
     22,
 /**/