From: Christian Brabandt <cb@256bit.org>
Date: Wed, 18 Feb 2026 21:52:40 +0000 (+0000)
Subject: patch 9.2.0024: Reading files with very long lines crashes with a segfault
X-Git-Tag: v9.2.0024^0
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6cc291da063e7d9a74a6337d6a80af2b3bcbb5a9;p=thirdparty%2Fvim.git

patch 9.2.0024: Reading files with very long lines crashes with a segfault

Problem:  Reading files with lines approaching MAXCOL length crashes
          with segfault due to colnr_T overflow.
Solution: The split check 'linerest >= MAXCOL' fired too late because
          linerest could grow by up to 'size' bytes before the next
          check. Change threshold to 'linerest >= MAXCOL - size' to
          ensure the line passed to ml_append() stays within colnr_T
          range.

Note: supported by AI claude

fixes:   #17935
closes:  #18953
closes:  #19332

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/fileio.c b/src/fileio.c
index 9aceaf8876..1f372c39e3 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -1170,7 +1170,12 @@ retry:
 	}
 
 	// Protect against the argument of lalloc() going negative.
-	if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL)
+	// Also split lines that are too long for colnr_T.  After this check
+	// passes, we read up to 'size' more bytes.  We must ensure that even
+	// after that read, the line length won't exceed MAXCOL - 1 (because
+	// we add 1 for the NUL when casting to colnr_T).  If this check fires,
+	// we insert a synthetic newline immediately, so linerest doesn't grow.
+	if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size)
 	{
 	    ++split;
 	    *ptr = NL;		    // split line by inserting a NL
diff --git a/src/version.c b/src/version.c
index 965ce4b9e3..6618340d75 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    24,
 /**/
     23,
 /**/