Hirohito Higashi [Tue, 23 Jun 2026 21:02:46 +0000 (21:02 +0000)]
patch 9.2.0713: completion: ruler not updated correctly when the popup menu is visible
Problem: While the insert-mode completion popup menu is visible, the
ruler - and the ruler shown in a status line when 'laststatus'
is set - shows the column where the completion started instead
of the real cursor column. With a status line the ruler can
also stay at the column from before the completion until the
next key is pressed.
Solution: Position the popup menu at the completion start column without
moving the cursor there, so the ruler keeps reflecting the
real cursor column. Also mark the status line for redraw
before the menu is shown, so its ruler is updated for the real
cursor column while the menu is visible.
closes: #20626
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Tue, 23 Jun 2026 20:03:31 +0000 (20:03 +0000)]
patch 9.2.0710: GTK4 GUI resize handling can be improved
Problem: GTK4 GUI resize handling can be improved
Solution: Remove the resize debounce, set the draw area's size request
in gui_mch_set_text_area_pos() via vim_form_move_resize()
(Foxe Chen).
reverts: #20327
closes: #20486
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Barrett Ruth [Mon, 22 Jun 2026 20:13:22 +0000 (20:13 +0000)]
patch 9.2.0707: completion: popup misplaced when text before it is concealed
Problem: When the cursor line has concealed text before the start of the
completion, the insert-mode completion popup is drawn at the wrong
screen column and the cursor no longer lines up with the completed
text.
Solution: Record the concealed width before the cursor on its screen line in
a new `win_T` field while `win_line()` draws it, subtract it in
`pum_display()` to place the menu over the visible text, and redraw
the cursor line so `win_line()` corrects the cursor too.
closes: #20539
Signed-off-by: Barrett Ruth <br@barrettruth.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0706: tests: test_terminal3 may fail when $SHELL is zsh
Problem: tests: test_terminal3 may fail when the shell ($SHELL) is zsh
with a custom prompt, because the prompt wraps the terminal
line and shifts the expected output.
Solution: Reset $HOME and $PS1 to sane defaults so the shell uses a
minimal prompt, and adjust the expected window height.
Miguel Barro [Mon, 22 Jun 2026 19:19:24 +0000 (19:19 +0000)]
patch 9.2.0703: session file does not store relative Vim9 autoload imports
Problem: mksession misses relative or absolute imports in the session,
homonymous autoload scripts imported from different scripts
cause errors (after v9.2.0579).
Solution: Correctly write scripts imported via :import autoload, skip any
that are no longer readable, and comment out imports whose autoload
prefix or file name tail would conflict with an earlier one
(Miguel Barro).
fixes: #12641
closes: #20564
Signed-off-by: Miguel Barro <miguel.barro@live.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0702: :windo and :tabdo create an extra window with 'winfixbuf'
Problem: With 'winfixbuf' set in the current window, :windo and :tabdo
create an extra split window, even though they only visit
existing windows/tabpages and don't change the current
window's buffer (Collin Kennedy)
Solution: Skip the 'winfixbuf' escape in ex_listdo() for :windo and
:tabdo (ShivaPriyanShanmuga)
fixes: #14301
closes: #20600
Signed-off-by: ShivaPriyanShanmuga <pshanmugashiva@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Mon, 22 Jun 2026 18:04:06 +0000 (18:04 +0000)]
patch 9.2.0701: tests: test_terminal.vim does not wait for job to finish
Problem: tests: Test_terminal_eof_arg() and
Test_terminal_duplicate_eof_arg() do not wait until the python
job finishes
Solution: Wait for the job to be dead before checking its exit value
(Vladimír Marek).
closes: #20571
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Jessica Clarke [Mon, 22 Jun 2026 17:58:04 +0000 (17:58 +0000)]
patch 9.2.0700: configure: -lrt requirement for timer_create not detected
Problem: configure does not actually check whether -lrt is needed for
timer_create(); the test only compiles instead of linking, so
the requirement is missed when cross-compiling
Solution: Use AC_LINK_IFELSE instead of AC_COMPILE_IFELSE for the
timer_create checks so the link actually decides whether -lrt
is required (Jessica Clarke)
AC_COMPILE_IFELSE won't try to link, so if the function exists in the
system headers, we will always detect that -lrt is not needed, as the
code will compile regardless of linker flags. If not cross-compiling,
the following AC_RUN_IFELSE will end up trying to link, so if -lrt is
needed it will fail to link and we will interpret timer_create as not
working, rather than that we just need to link with -lrt. But when we
are cross-compiling we will skip the AC_RUN_IFELSE and assume that it
works, failing to link when we later build if -lrt is in fact needed.
closes: #20605
related: 2cf145b78b88 ("patch 9.1.0837: cross-compiling has some issues") Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
K.Takata [Sun, 21 Jun 2026 20:33:17 +0000 (20:33 +0000)]
nsis: Remove NSIS Installer Code
Move the NSIS code to the vim/vim-win32-installer repository.
When we update the NSIS code, we sometimes need to update the
vim/vim-win32-installer scripts also. Managing them in the same repository
should be better for maintenance.
This PR should be merged after https://github.com/vim/vim-win32-installer/pull/457
closes: #20521
Signed-off-by: K.Takata <kentkt@csc.jp> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0698: [security]: Out-of-bounds write with soundfold()
Problem: [security]: Out-of-bounds write with soundfold()
(cipher-creator)
Solution: Add an abort condition to the for loop to validate the buffer
size.
patch 9.2.0697: possible overflow when parsing CSI keys
Problem: possible overflow when parsing CSI keys (cipher-creator)
Solution: Reject key codes above U+10FFFF and enlarge the key buffer,
guard the CSI argument accumulator against overflow
Foxe Chen [Sun, 21 Jun 2026 18:19:58 +0000 (18:19 +0000)]
patch 9.2.0696: GTK4: A few issues with toolbar support
Problem: GTK4: A few issues with toolbar support
Solution: Fix segfault when removing toolbar icon; bring focus to drawarea when button in overflow
menu is clicked (Foxe Chen)
closes: #20562
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:59:05 +0000 (17:59 +0000)]
patch 9.2.0695: Solaris: test_delete_temp_dir() fails because of missing flock
Problem: Solaris: test_delete_temp_dir() fails because of missing flock
Solution: Skip the test (Vladimír Marek)
Test_delete_temp_dir() assumes Vim can detect when its cached private temp
directory has been deleted, which depends on flock/dirfd support. Solaris
does not provide flock(), so Vim keeps using the cached temp directory path
after the directory has been deleted. Skip the test there.
closes: #20567
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:54:12 +0000 (17:54 +0000)]
patch 9.2.0694: Solaris: some tests faiures due to Solaris peculiarities
Problem: Solaris: some tests faiures due to Solaris peculiarities
Solution: Fix test assumptions (Vladimír Marek)
Several Vim tests assume behavior that is not true for Solaris:
- Test_strptime() expects the artificial POSIX DST rule in TZ to be applied, but
Solaris strptime() returns the UTC value for that test case.
- Test_gettext() checks ngettext() with a singular-only test catalog entry. GNU
gettext reuses the singular translation for the Russian plural lookup, but
Solaris gettext returns an empty string for that malformed catalog entry.
- Test_detect_fifo() reads bash process substitution through /dev/fd, which
Solaris reports as character special rather than fifo.
- Test_termencoding_euc_jp() writes Xeuc_jp.txt as EUC-JP. On Solaris, the
latin1 fallback in 'fileencodings' can still be converted to euc-jp, causing
Vim to read the file as latin1 instead of as the current euc-jp encoding.
Read the generated EUC-JP file explicitly as EUC-JP on Solaris.
closes: #20568
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:45:37 +0000 (17:45 +0000)]
patch 9.2.0693: tests: Test_suspend() may fail because of keyprotocol query
Problem: tests: Test_suspend() may fail because of keyprotocol query
Solution: Disable keyprotocol and unset t_RK very early so that the
inner Vim does not query it (Vladimír Marek)
The nested Vim can send a keyprotocol query during startup. If the terminal
response arrives at the wrong time, the nested Vim may not consume it and the
response can be written to the inner terminal, leaving characters such as 4;2m
after the shell prompt when the test later suspends Vim.
The previous command tried to avoid that with -c 'set keyprotocol=', but -c
commands are applied too late. Use --cmd 'set t_RK= keyprotocol=' so the
inner Vim disables the query before startup can send it.
closes: #20570
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Solaris: Test_terminal_composing_unicode() fails, because
readline echoes combining UTF-8 input as octal bytes.
Solution: Force C.UTF-8 locale for the terminal test
(Vladimír Marek).
closes: #20572
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 14:58:30 +0000 (14:58 +0000)]
patch 9.2.0690: Solaris: swap file names are too long
Problem: Solaris: dirent.h exposes MAXNAMLEN as 512, but the usable
file name component limit is 255 (defined in param.h). Vim
derives BASENAMELEN for generated swap file names from
MAXNAMLEN, so it creates overlong components and fails to
rename the swap file with ENAMETOOLONG (Vladimír Marek).
Solution: Override MAXNAMLEN to the effective Solaris component limit
of 255 for swap file name generation.
closes: #20573
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sun, 21 Jun 2026 14:53:03 +0000 (14:53 +0000)]
patch 9.2.0689: the "%" command is slow on a long line with many slashes
Problem: The "%" command can be very slow on a long line that contains
many slashes, for example a line of base64 data.
Solution: When looking for a line comment, scan the line only once while
skipping over strings, instead of rescanning from the start for
every slash. Move check_linecomment() to cindent.c so it can
reuse the file-local skip_string().
related: #20491
fixes: #20557
closes: #20575
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Gareth Lloyd [Sun, 21 Jun 2026 14:44:35 +0000 (14:44 +0000)]
runtime(cpp): add C++26 lexical constructs to syntax highlighting
Add a guarded "C++ 26 extensions" block (cpp_no_cpp26) covering new
lexical surface introduced since C++23:
- [[ ... ]] attributes as a region, so P3394 annotations carrying a
value expression (eg [[=foo{1}]]) no longer trip cErrInBracket on
their braces/parens. A \w\@1<! look-behind keeps it from matching a
subscripted immediately-invoked lambda (arr[[]{...}()]).
- ^^ reflection operator (P2996).
- [: :] splice brackets (P2996).
- contract_assert keyword (P2900).
Add input/cpp_cpp26.cpp exercising these constructs with screendumps,
and update dumps/cpp_noreturn_00.dump for the new [[ ]] attribute
delimiter highlighting.
closes: #20577
Signed-off-by: Gareth Lloyd <gareth@ignition-web.co.uk> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sun, 21 Jun 2026 14:09:31 +0000 (14:09 +0000)]
patch 9.2.0688: Terminal-Normal mode does not show the Visual selection on a colored empty line
Problem: In Terminal-Normal mode the Visual selection is not visible on
the first cell of an empty line that was erased with a
background color (CSI K after e.g. CSI 100m); a plain empty
line shows it but a colored one does not.
Solution: Combine the Visual or search highlight onto the first cell on
top of the explicitly set background color, the same way it
shows with the default background.
closes: #20580
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0687: popup_image_composites_frames() has improper if block scope
Problem: popup_image_composites_frames() has improper if block scope
Solution: Add curly braces to properly scope the if block
(Yee Cheng Chin).
If the ifdef conditions within the if block evaluates to false, then the
generated code will have the if block apply to the next statement
instead. Use a curly brace to properly scope the if block.
related: #20478
closes: #20584
Signed-off-by: Yee Cheng Chin <ychin.git@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0685: clipboard.c does not get the Wayland CFLAGS on GTK2
Problem: clipboard.c relies on the GTK include flags from
pkg-config to pull in the Wayland headers. This is not
guaranteed: GTK2 does not add them, and Wayland clipboard
support is independent of the GUI.
Solution: Add $(WAYLAND_CFLAGS) and $(WAYLAND_CPPFLAGS) to the
clipboard.c compile rule so it always compiles, consistent
with the other Wayland files (Christoffer Aasted).
closes: #20576
Signed-off-by: Christoffer Aasted <dezzadk@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Doug Kearns [Sun, 21 Jun 2026 13:03:21 +0000 (13:03 +0000)]
patch 9.2.0684: :reg # does not display the value of the '#' register
Problem: ':registers #' does not display the value of the '#' register.
Solution: Filter the '#' :registers output on a '#' arg instead of '%'
(Doug Kearns).
closes: #20589
Signed-off-by: Doug Kearns <dougkearns@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Sun, 21 Jun 2026 12:55:58 +0000 (12:55 +0000)]
patch 9.2.0683: filetype completion mishandles finished sub options
Problem: ":filetype plugin<Tab>" gives "pluginindent" because a
sub option before the cursor is treated as already given.
Solution: only skip plugin and indent when followed by white space.
(glepnir)
closes: #20594
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
zeertzjq [Sun, 21 Jun 2026 12:52:36 +0000 (12:52 +0000)]
patch 9.2.0682: Wrong dot-repeat when calling complete() while filtering completion
Problem: Wrong dot-repeat when calling complete() while filtering
Ctrl-N completion.
Solution: Also check compl_started for whether completion is active.
(zeertzjq)
related: neovim/neovim#40346
closes: #20595
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0681: configure: -lruby added even for a dynamic ruby build
Problem: configure: -lruby is added to the link flags even for a
dynamic ruby build, creating a hard dependency on the Ruby
library (Johannes Schindelin, after v9.2.0674).
Solution: For a dynamic build filter out -l flags from librubyarg.
Hirohito Higashi [Sat, 20 Jun 2026 16:06:58 +0000 (16:06 +0000)]
patch 9.2.0679: [security]: Out-of-bounds read with text property virtual text
Problem: [security]: Out-of-bounds read with text property virtual text.
A crafted undo file can declare a virtual-text property whose
offset points outside the line's property data, so reading the
virtual text reads out of bounds. This completes the count-only
check added in 9.2.0670.
Solution: Validate the virtual-text offset and length of each property
against the available property data before turning the offset
into a pointer.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0678: [security]: potential powershell code execution in zip.vim
Problem: [security]: potential powershell code execution in zip.vim
(DDugs)
Solution: Cleanup zip.vim, introduce PSEscape() to escape() potential powershell code,
use consistent s:Escape() in the various PowerShell functions
Hirohito Higashi [Thu, 18 Jun 2026 20:12:48 +0000 (20:12 +0000)]
ccfilter: buffer overflow in ccfilter.c with crafted compiler output
Problem: ccfilter: can overflow fixed-size buffers (FileName, BasePath,
Reason) when parsing crafted compiler output, because the
sscanf() calls read "%[" fields without a width limit (DDugs)
Solution: Give every sscanf() "%[" conversion a width limit derived from
the buffer size (Hirohito Higashi).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Thu, 18 Jun 2026 19:31:18 +0000 (19:31 +0000)]
patch 9.2.0676: MS-Windows: cannot switch to a buffer with '%' in its name
Problem: On MS-Windows it is not possible to switch to a buffer by name
with ":b" (including via command-line completion) when the
buffer name contains '%'.
Solution: Do not escape '%' and '#' for the ":buffer" command on
MS-Windows. Since ":buffer" has no EX_XFILE these are not
expanded, and escaping them as "\%"/"\#" makes buffer name
matching fail when '%'/'#' is in 'isfname' (the backslash is
treated as a path separator).
fixes: #20529
closes: #20548
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: configure: clears dynamic ruby linker flags, after setting those
Solution: Make configure keep Ruby linker arguments when Ruby support is
built with --enable-rubyinterp=dynamic. The dynamic Ruby
branch clears RUBY_LIBS before setting DYNAMIC_RUBY, so add librubyarg
after that branch instead of before it (Vladimír Marek).
related: #17906
closes: #20558
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Thu, 18 Jun 2026 19:12:40 +0000 (19:12 +0000)]
runtime(tar): fix lz4 extraction on non-Linux systems
Patch 9.2.0306 fixed malformed lz4 extraction commands by using "tar -I lz4"
on Linux and leaving non-Linux tar implementations to auto-detect lz4 input.
That still fails on systems where tar does not support either -I lz4 or
automatic lz4 decompression, such as Solaris /usr/bin/tar.
Keep the existing Linux path using GNU tar's "-I lz4" support. For non-Linux
systems, use lz4 explicitly to decompress the archive to stdout and feed the
resulting tar stream to the configured tar extraction command. This is the
same style tar.vim already used for lz4 archives before patch 9.2.0306.
Follow-up for #19925
closes: #20555
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Test_recover_corrupted_swap_file1() copies prebuilt corrupt swap samples
before recovering them. In an out-of-source-tree build those sample
files may be symlinks into the source tree. filecopy() preserves
symlinks, so the copied target may remain a symlink. Recovery opens
swap files with O_NOFOLLOW, so that copied symlink cannot be opened.
Read the sample as a blob and write it back so the recovery target is a
real swap file.
closes: #20561
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Thu, 18 Jun 2026 18:55:52 +0000 (18:55 +0000)]
patch 9.2.0672: corrupted text property causes internal error
Problem: Restoring a crafted/corrupted persistent-undo file and then
inspecting the line (e.g. prop_list()) reports the bad text
property data as an internal error. On builds with
ABORT_ON_INTERNAL_ERROR (the sanitizer CI job) this aborts the
process even inside assert_fails(), so the test added in
9.2.0670 fails deterministically.
Solution: The prop data only comes from an untrusted persistent-undo
file, so detecting it is input validation, not an internal
bug. Report it with a normal error (emsg) instead of iemsg,
matching how other corrupted persistent files are reported.
The out-of-bounds read is still prevented.
closes: #20559
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Problem: [security]: possible out-of-bounds read with sodium encrypted
files (cipher-creator)
Solution: Verify that there is enough space before calling
crypto_secretstream_xchacha20poly1305_init_pull()
Hirohito Higashi [Wed, 17 Jun 2026 19:37:28 +0000 (19:37 +0000)]
patch 9.2.0666: Terminal-Normal mode does not color empty lines with a background color
Problem: In Terminal-Normal mode an empty line that was erased with a
background color (CSI K after e.g. CSI 100m) is shown without
that color, although it is colored while the job is running.
Solution: Reset the empty line's background attribute only when the fill
is the terminal's default color, so that a Visual selection
still shows on a plain empty line, while an explicitly set
background color is kept.
closes: #20547
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" injects arbitrary Ex commands when the file is
deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
(Yasuhiro Matsumoto).
patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
Problem: [security]: a crafted spell file with a self-referential
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :spelldump
(cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do (Yasuhiro Matsumoto)
patch 9.2.0661: unintended wipe of Vim's temp dir, causes errors
Problem: Unintended wipe of Vim's temp dir, causes errors and may also
leak temporary data (David Leadbeater)
Solution: In vim_tempname() verify the temp directory still exists (via
its open file descriptor) and re-create it if it was removed.
patch 9.2.0658: xxd: signed integer overflow in huntype()
Problem: malformed revert input with an overlong address column causes
signed integer overflow (UB) in huntype().
Solution: perform the offset/bit shifts through unsigned types
related: neovim/neovim#40246
Supported by AI
Co-Authored-by: Justin M. Keyes <justinkz@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Tue, 16 Jun 2026 19:11:38 +0000 (19:11 +0000)]
patch 9.2.0656: completion: using wrong tolower() in smartcase filtering
Problem: ins_compl_equal_sc() uses MB_TOLOWER() on single bytes, but
it indexes raw bytes, not decoded characters (after v9.1.0651).
Solution: Use TOLOWER_LOC(), matching what STRNICMP()/ins_compl_equal()
does (glephunter).
closes: #20535
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0654: GTK4: using uninitialised colors in gui_mch_init()
Problem: GTK4: using uninitialised colors in gui_mch_init()
Solution: Use g_new0() instead of g_new() (Yasuhiro Matsumoto)
gui.fgcolor/bgcolor/spcolor were allocated with g_new(), leaving the
GdkRGBA fields uninitialised. On widget realize/map GTK runs
gui_mch_new_colors() -> surface_fill_bg() before gui_mch_set_bg_color()
assigns them, so cairo_set_source_rgba() branched on uninitialised
values (reported by valgrind). Use g_new0() to zero-initialise.
closes: #20538
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0653: [security]: out-of-bounds write in tree_count_words()
Problem: [security]: a crafted spell file can drive tree_count_words()
past the end of its MAXWLEN-sized depth arrays; the descent
loop has no depth bound.
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do; apply the same guard to sug_filltree().
Csaba Hoch [Mon, 15 Jun 2026 18:59:22 +0000 (18:59 +0000)]
runtime(erlang): Optimize operators and bitstring types
This commit makes processing the erlangOperator and erlangBitType syntax
items faster.
- erlangOperator changes:
- Vim now parses erlangOperator faster because we define the operators
individually.
- The order of operators in erlangOperator had to be changed to make
the edge cases work the same as before (for example
erlangEqualsBinary).
- erlangBitType changes:
- Vim now parses erlangBitType faster because:
1. Now the long `\%(integer\|float\|...\)` sections are preceded by
"beginning of word" patterns (`\<`).
2. Now we use the old regexp engine (`\%#=1`).
Previously when an Erlang file contained long lines with erlangOperator
or erlangBitType patterns near the end, redrawing these lines was slow,
and typing at the end of the line was also slow.
For example, redrawing a 1787 characters long test line is now roughly
six times faster.
fixes: #5593
closes: #20524
Signed-off-by: Csaba Hoch <csaba.hoch@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0652: popup: stale kitty image after clipwindow scrolls out of view
Problem: a clipwindow popup containing an image leaves a stale image on
the terminal after it scrolls out of view, with the kitty
graphics protocol.
Solution: Delete the kitty placement and the GTK4 image and force a
redraw before hiding, mirroring the textprop scroll-out path
(Yasuhiro Matsumoto).
closes: #20525
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Mon, 15 Jun 2026 18:49:47 +0000 (18:49 +0000)]
patch 9.2.0651: completion: 'smartcase' doesn't work with 'longest'
Problem: With 'longest', 'smartcase' is ignored when filtering matches:
"inp" offers only "InputEvent", and an uppercase pattern gives
different results for CTRL-N and CTRL-P.
Solution: 'longest' rewrites the leader with the common prefix, picking
up uppercase the user never typed. Judge case from the typed
text instead, and match the auto-inserted part of the leader
case-insensitively so CTRL-N and CTRL-P give the same result.
(glepnir)
related: neovim/neovim#40259
closes: #20533
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Mon, 15 Jun 2026 18:20:15 +0000 (18:20 +0000)]
patch 9.2.0650: Vim aborts at startup when built with the example -O2 CFLAGS
Problem: Building with an optimizing example CFLAGS line in src/Makefile
(which bypasses configure) aborts Vim at startup with a buffer
overflow, because the compiler then defaults _FORTIFY_SOURCE to
a level >= 2 (user202729)
Solution: Define FORTIFY_CFLAGS with -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
and reference it from the optimizing example CFLAGS lines, the
same pin configure already applies; at higher levels the check
false-positives on the "x[1] but actually longer" struct-hack
arrays.
fixes: #20526
closes: #20530
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0649: filetype: tf files sometimes incorrectly recognized
Problem: filetype: tf files sometimes incorrectly recognized
(Christian Robinson)
Solution: Add support for g;filetype_tf variable to override detection,
re-write the filetype detection loop
Problem: MS-Windows: Compile warnings
Solution: Add type casts
fixes the following compile warnings:
ex_cmds.c(4934): warning C4267: '+=': conversion from 'size_t' to
'colnr_T', possible loss of data
ex_cmds.c(4868): warning C4267: 'initializing': conversion from 'size_t'
to 'int', possible loss of data
glepnir [Sun, 14 Jun 2026 15:53:39 +0000 (15:53 +0000)]
patch 9.2.0647: matchfuzzypos() false exact match for long equal-length candidates
Problem: When a candidate gets truncated to MATCH_MAX_LEN and ends up
the same length as the needle, the n == m shortcut would
return SCORE_MAX with positions 0..n-1, even if the strings
actually differ.
Solution: Only use the shortcut if the truncated strings are truly equal.
Otherwise, fall back to regular matching.
zeertzjq [Sun, 14 Jun 2026 15:39:26 +0000 (15:39 +0000)]
patch 9.2.0645: Composing chars no longer accepted in end-id abbr
Problem: Composing chars are no longer accepted in end-id abbreviation
(after 9.2.0629).
Solution: Unescape all chars using vim_unescape_csi() instead of using
mb_unescape() on individual chars, so that mb_ptr2len() and
MB_PTR_ADV() can still be used.
closes: #20514
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0642: statusline: buffer overflow with item groups
Problem: statusline: buffer overflow with item groups
Solution: Fix the issues (see below) (Sébastien Hoffmann)
Fix various buffer overflow bugs (examples assume MAXPATHL==4096):
- truncated item groups where minwid>maxwid:
vim --clean +"set ls=2 stl=%<%{%repeat('x',4096-11)%}%50.5(12🙂345%)"
leads to fillchars spilling over the end of the group/buffer while trying to
compensate for truncating at a multicell character because minwid<=maxwid is assumed
- left-aligned item groups with multi-byte fillchar:
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%<%{%repeat('x',4096-3)%}%-2(X%)"
wrongly leads to padding at the end of the statusline and `p-out==4097`
because the bounds check assumes a 1-byte fillchar
- right-aligned item groups with 1-byte fillchar:
vim --clean +"set ls=2 stl=%<%{%repeat('x',4096-4)%}%4(XY%)"
leads to "YX" instead of "XY" at the end of the statusline
because `memmove` is done before adjusting the offset
- right-aligned item groups with multi-byte fillchar:
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%5(X%)"
leads to "∙∙∙∙<e2>", i.e. the fillchar is being written over the group contents
and eventually being overwritten itself at the second byte with the final NUL,
because the padding counter assumes a 1-byte fillchar; to crash vim,
vim --clean +"set ls=2 fillchars+=stl:∙ stl=%<%{%repeat('x',4096-149)%}%50(X%)"
related: neovim/neovim#40219
closes: #20522
Signed-off-by: Sébastien Hoffmann <contact@shoffmann.dev> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0641: GTK4: crash in gui_mch_menu_hidden()
Problem: GTK4: crash in gui_mch_menu_hidden()
Solution: Skip the sentinel like gui_mch_menu_grey() does
(Yasuhiro Matsumoto).
Menu items use the (GtkWidget *)1 sentinel as their id, but
gui_mch_menu_hidden() only skipped NULL ids and passed the sentinel
to gtk_widget_get_visible(), causing a SEGV.
closes: #20523
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sat, 13 Jun 2026 19:39:54 +0000 (19:39 +0000)]
patch 9.2.0640: the "%" command jumps to parens and braces inside comments
Problem: The "%" command jumps to parens and braces inside comments,
unlike the "=" operator (cindent), which ignores them.
Solution: When 'comments' defines C-style comments and "%" is not in
'cpoptions', skip matching parens inside such comments, except
when the cursor is inside a comment so a match there can still
be found.
fixes: #20329
related: #20111
closes: #20491
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Sat, 13 Jun 2026 19:32:44 +0000 (19:32 +0000)]
patch 9.2.0639: gq with 'formatprg' fails on an empty buffer
Problem: gq (and other filters) on an empty buffer fail with
"E20: Mark not set": when the filter produces no output,
do_filter() still subtracts the line count from '[ and '],
pushing '] to line 0.
Solution: when the filter produces no output, put '[ and '] on a valid
line instead of subtracting past line 1 (glepnir).
related: neovim/neovim#30593
closes: #19061
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>