Barrett Ruth [Fri, 26 Jun 2026 19:46:11 +0000 (19:46 +0000)]
patch 9.2.0729: % skips parens on continued quoted lines
Problem: The "%" command and bracket/text-object motions can skip the
matching paren or bracket on a line with quotes and a trailing
backslash.
Solution: Use the quote state at the search start when an odd-quote line
is continued with a backslash, instead of always treating the
search as starting in quotes (Barrett Ruth).
closes: #20631
Signed-off-by: Barrett Ruth <br@barrettruth.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Wed, 24 Jun 2026 20:37:21 +0000 (20:37 +0000)]
patch 9.2.0726: filetype detect missing from completion
Problem: ":filetype detect" is a valid command but not offered by
command-line completion.
Solution: Add "detect" to the completion candidates (glepnir)
closes: #20625
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Mon, 22 Jun 2026 04:00:36 +0000 (13:00 +0900)]
patch 9.2.0725: [security]: Stack out-of-bounds write in spell_soundfold_sal()
Problem: [security]: A crafted spell file with non-collapsing SAL rules
can make soundfold() write one byte past the end of the
MAXWLEN result buffer. This is the same class of
out-of-bounds write as GHSA-q8mh-6qm3-25g4 (fixed in 9.2.0698
for the SOFO branch), found while auditing the surrounding
code.
Solution: Bound the single-byte SAL result writes and the terminating
NUL to MAXWLEN - 1, matching the SOFO branch.
The single-byte branch of spell_soundfold_sal() guarded its writes with
"reslen < MAXWLEN", allowing reslen to reach MAXWLEN (254). The trailing
"res[reslen] = NUL" then wrote at index 254 of the 254-byte stack buffer
res[MAXWLEN], an off-by-one out-of-bounds write. Input is case-folded to
about 253 characters, so a 253-character argument together with a SAL map
that does not collapse (collapse_result false) reaches the boundary.
Related to previous issue
[GHSA-q8mh-6qm3-25g4](https://github.com/vim/vim/security/advisories/GHSA-q8mh-6qm3-25g4)
(9.2.0698)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Wed, 24 Jun 2026 18:57:35 +0000 (18:57 +0000)]
patch 9.2.0722: GTK4: find/replace dialog can be improved
Problem: GTK4: find/replace dialog can be improved
Solution: Store the action buttons in the dialog struct, update their
sensitivity when the search field changes, close the dialog on
Escape and set the dialog's default widget (Foxe Chen)
closes: #20613
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Wed, 24 Jun 2026 18:40:50 +0000 (18:40 +0000)]
patch 9.2.0721: serverlist() returns strings separated by \n
Problem: serverlist() returns strings separated by \n
(Christian J. Robinson)
Solution: Return a list of server names when given the
option dict argument (Foxe Chen).
fixes: #20582
closes: #20601
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Wed, 24 Jun 2026 18:19:53 +0000 (18:19 +0000)]
patch 9.2.0719: GTK4: default menu is lacking
Problem: GTK4: default menu is lacking: accelerator
text is not shown, mnemonics and 'winaltkeys' do not work
Solution: Replace the GMenuModel-based menus with a custom widget set
(VimMenuBar, VimMenuBarItem, VimMenu, VimMenuItem) in a new
gui_gtk4_menu.c, modelled on the GTK3 menu bar: show accelerator
text, support mnemonics and 'winaltkeys', add keyboard
navigation, instant tooltips, and the popup and F10 menus, and
implement the previously stubbed menu functions (Foxe Chen).
closes: #20593
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Dmytro Meleshko [Wed, 24 Jun 2026 17:51:22 +0000 (17:51 +0000)]
patch 9.2.0718: :syn sync without an argument also lists syntax cluster
Problem: :syn sync without an argument also lists every defined cluster
Solution: Fix control flow in syn_cmd_list() so that only the syncing
items are printed when this function gets called by :syn sync.
(dmitmel)
closes: #20614
Signed-off-by: Dmytro Meleshko <dmytro.meleshko@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
config:
~/.local/share/supertux2/config: supertux config
https://github.com/SuperTux/supertux/wiki/S-Expression#supertux-config-file
*.stsg: supertux save game
Hirohito Higashi [Tue, 23 Jun 2026 21:02:46 +0000 (21:02 +0000)]
patch 9.2.0713: completion: ruler not updated correctly when the popup menu is visible
Problem: While the insert-mode completion popup menu is visible, the
ruler - and the ruler shown in a status line when 'laststatus'
is set - shows the column where the completion started instead
of the real cursor column. With a status line the ruler can
also stay at the column from before the completion until the
next key is pressed.
Solution: Position the popup menu at the completion start column without
moving the cursor there, so the ruler keeps reflecting the
real cursor column. Also mark the status line for redraw
before the menu is shown, so its ruler is updated for the real
cursor column while the menu is visible.
closes: #20626
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Foxe Chen [Tue, 23 Jun 2026 20:03:31 +0000 (20:03 +0000)]
patch 9.2.0710: GTK4 GUI resize handling can be improved
Problem: GTK4 GUI resize handling can be improved
Solution: Remove the resize debounce, set the draw area's size request
in gui_mch_set_text_area_pos() via vim_form_move_resize()
(Foxe Chen).
reverts: #20327
closes: #20486
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Barrett Ruth [Mon, 22 Jun 2026 20:13:22 +0000 (20:13 +0000)]
patch 9.2.0707: completion: popup misplaced when text before it is concealed
Problem: When the cursor line has concealed text before the start of the
completion, the insert-mode completion popup is drawn at the wrong
screen column and the cursor no longer lines up with the completed
text.
Solution: Record the concealed width before the cursor on its screen line in
a new `win_T` field while `win_line()` draws it, subtract it in
`pum_display()` to place the menu over the visible text, and redraw
the cursor line so `win_line()` corrects the cursor too.
closes: #20539
Signed-off-by: Barrett Ruth <br@barrettruth.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0706: tests: test_terminal3 may fail when $SHELL is zsh
Problem: tests: test_terminal3 may fail when the shell ($SHELL) is zsh
with a custom prompt, because the prompt wraps the terminal
line and shifts the expected output.
Solution: Reset $HOME and $PS1 to sane defaults so the shell uses a
minimal prompt, and adjust the expected window height.
Miguel Barro [Mon, 22 Jun 2026 19:19:24 +0000 (19:19 +0000)]
patch 9.2.0703: session file does not store relative Vim9 autoload imports
Problem: mksession misses relative or absolute imports in the session,
homonymous autoload scripts imported from different scripts
cause errors (after v9.2.0579).
Solution: Correctly write scripts imported via :import autoload, skip any
that are no longer readable, and comment out imports whose autoload
prefix or file name tail would conflict with an earlier one
(Miguel Barro).
fixes: #12641
closes: #20564
Signed-off-by: Miguel Barro <miguel.barro@live.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0702: :windo and :tabdo create an extra window with 'winfixbuf'
Problem: With 'winfixbuf' set in the current window, :windo and :tabdo
create an extra split window, even though they only visit
existing windows/tabpages and don't change the current
window's buffer (Collin Kennedy)
Solution: Skip the 'winfixbuf' escape in ex_listdo() for :windo and
:tabdo (ShivaPriyanShanmuga)
fixes: #14301
closes: #20600
Signed-off-by: ShivaPriyanShanmuga <pshanmugashiva@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Mon, 22 Jun 2026 18:04:06 +0000 (18:04 +0000)]
patch 9.2.0701: tests: test_terminal.vim does not wait for job to finish
Problem: tests: Test_terminal_eof_arg() and
Test_terminal_duplicate_eof_arg() do not wait until the python
job finishes
Solution: Wait for the job to be dead before checking its exit value
(Vladimír Marek).
closes: #20571
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Jessica Clarke [Mon, 22 Jun 2026 17:58:04 +0000 (17:58 +0000)]
patch 9.2.0700: configure: -lrt requirement for timer_create not detected
Problem: configure does not actually check whether -lrt is needed for
timer_create(); the test only compiles instead of linking, so
the requirement is missed when cross-compiling
Solution: Use AC_LINK_IFELSE instead of AC_COMPILE_IFELSE for the
timer_create checks so the link actually decides whether -lrt
is required (Jessica Clarke)
AC_COMPILE_IFELSE won't try to link, so if the function exists in the
system headers, we will always detect that -lrt is not needed, as the
code will compile regardless of linker flags. If not cross-compiling,
the following AC_RUN_IFELSE will end up trying to link, so if -lrt is
needed it will fail to link and we will interpret timer_create as not
working, rather than that we just need to link with -lrt. But when we
are cross-compiling we will skip the AC_RUN_IFELSE and assume that it
works, failing to link when we later build if -lrt is in fact needed.
closes: #20605
related: 2cf145b78b88 ("patch 9.1.0837: cross-compiling has some issues") Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
K.Takata [Sun, 21 Jun 2026 20:33:17 +0000 (20:33 +0000)]
nsis: Remove NSIS Installer Code
Move the NSIS code to the vim/vim-win32-installer repository.
When we update the NSIS code, we sometimes need to update the
vim/vim-win32-installer scripts also. Managing them in the same repository
should be better for maintenance.
This PR should be merged after https://github.com/vim/vim-win32-installer/pull/457
closes: #20521
Signed-off-by: K.Takata <kentkt@csc.jp> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0698: [security]: Out-of-bounds write with soundfold()
Problem: [security]: Out-of-bounds write with soundfold()
(cipher-creator)
Solution: Add an abort condition to the for loop to validate the buffer
size.
patch 9.2.0697: possible overflow when parsing CSI keys
Problem: possible overflow when parsing CSI keys (cipher-creator)
Solution: Reject key codes above U+10FFFF and enlarge the key buffer,
guard the CSI argument accumulator against overflow
Foxe Chen [Sun, 21 Jun 2026 18:19:58 +0000 (18:19 +0000)]
patch 9.2.0696: GTK4: A few issues with toolbar support
Problem: GTK4: A few issues with toolbar support
Solution: Fix segfault when removing toolbar icon; bring focus to drawarea when button in overflow
menu is clicked (Foxe Chen)
closes: #20562
Signed-off-by: Foxe Chen <chen.foxe@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:59:05 +0000 (17:59 +0000)]
patch 9.2.0695: Solaris: test_delete_temp_dir() fails because of missing flock
Problem: Solaris: test_delete_temp_dir() fails because of missing flock
Solution: Skip the test (Vladimír Marek)
Test_delete_temp_dir() assumes Vim can detect when its cached private temp
directory has been deleted, which depends on flock/dirfd support. Solaris
does not provide flock(), so Vim keeps using the cached temp directory path
after the directory has been deleted. Skip the test there.
closes: #20567
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:54:12 +0000 (17:54 +0000)]
patch 9.2.0694: Solaris: some tests faiures due to Solaris peculiarities
Problem: Solaris: some tests faiures due to Solaris peculiarities
Solution: Fix test assumptions (Vladimír Marek)
Several Vim tests assume behavior that is not true for Solaris:
- Test_strptime() expects the artificial POSIX DST rule in TZ to be applied, but
Solaris strptime() returns the UTC value for that test case.
- Test_gettext() checks ngettext() with a singular-only test catalog entry. GNU
gettext reuses the singular translation for the Russian plural lookup, but
Solaris gettext returns an empty string for that malformed catalog entry.
- Test_detect_fifo() reads bash process substitution through /dev/fd, which
Solaris reports as character special rather than fifo.
- Test_termencoding_euc_jp() writes Xeuc_jp.txt as EUC-JP. On Solaris, the
latin1 fallback in 'fileencodings' can still be converted to euc-jp, causing
Vim to read the file as latin1 instead of as the current euc-jp encoding.
Read the generated EUC-JP file explicitly as EUC-JP on Solaris.
closes: #20568
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 17:45:37 +0000 (17:45 +0000)]
patch 9.2.0693: tests: Test_suspend() may fail because of keyprotocol query
Problem: tests: Test_suspend() may fail because of keyprotocol query
Solution: Disable keyprotocol and unset t_RK very early so that the
inner Vim does not query it (Vladimír Marek)
The nested Vim can send a keyprotocol query during startup. If the terminal
response arrives at the wrong time, the nested Vim may not consume it and the
response can be written to the inner terminal, leaving characters such as 4;2m
after the shell prompt when the test later suspends Vim.
The previous command tried to avoid that with -c 'set keyprotocol=', but -c
commands are applied too late. Use --cmd 'set t_RK= keyprotocol=' so the
inner Vim disables the query before startup can send it.
closes: #20570
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Solaris: Test_terminal_composing_unicode() fails, because
readline echoes combining UTF-8 input as octal bytes.
Solution: Force C.UTF-8 locale for the terminal test
(Vladimír Marek).
closes: #20572
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Sun, 21 Jun 2026 14:58:30 +0000 (14:58 +0000)]
patch 9.2.0690: Solaris: swap file names are too long
Problem: Solaris: dirent.h exposes MAXNAMLEN as 512, but the usable
file name component limit is 255 (defined in param.h). Vim
derives BASENAMELEN for generated swap file names from
MAXNAMLEN, so it creates overlong components and fails to
rename the swap file with ENAMETOOLONG (Vladimír Marek).
Solution: Override MAXNAMLEN to the effective Solaris component limit
of 255 for swap file name generation.
closes: #20573
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sun, 21 Jun 2026 14:53:03 +0000 (14:53 +0000)]
patch 9.2.0689: the "%" command is slow on a long line with many slashes
Problem: The "%" command can be very slow on a long line that contains
many slashes, for example a line of base64 data.
Solution: When looking for a line comment, scan the line only once while
skipping over strings, instead of rescanning from the start for
every slash. Move check_linecomment() to cindent.c so it can
reuse the file-local skip_string().
related: #20491
fixes: #20557
closes: #20575
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Gareth Lloyd [Sun, 21 Jun 2026 14:44:35 +0000 (14:44 +0000)]
runtime(cpp): add C++26 lexical constructs to syntax highlighting
Add a guarded "C++ 26 extensions" block (cpp_no_cpp26) covering new
lexical surface introduced since C++23:
- [[ ... ]] attributes as a region, so P3394 annotations carrying a
value expression (eg [[=foo{1}]]) no longer trip cErrInBracket on
their braces/parens. A \w\@1<! look-behind keeps it from matching a
subscripted immediately-invoked lambda (arr[[]{...}()]).
- ^^ reflection operator (P2996).
- [: :] splice brackets (P2996).
- contract_assert keyword (P2900).
Add input/cpp_cpp26.cpp exercising these constructs with screendumps,
and update dumps/cpp_noreturn_00.dump for the new [[ ]] attribute
delimiter highlighting.
closes: #20577
Signed-off-by: Gareth Lloyd <gareth@ignition-web.co.uk> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Sun, 21 Jun 2026 14:09:31 +0000 (14:09 +0000)]
patch 9.2.0688: Terminal-Normal mode does not show the Visual selection on a colored empty line
Problem: In Terminal-Normal mode the Visual selection is not visible on
the first cell of an empty line that was erased with a
background color (CSI K after e.g. CSI 100m); a plain empty
line shows it but a colored one does not.
Solution: Combine the Visual or search highlight onto the first cell on
top of the explicitly set background color, the same way it
shows with the default background.
closes: #20580
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0687: popup_image_composites_frames() has improper if block scope
Problem: popup_image_composites_frames() has improper if block scope
Solution: Add curly braces to properly scope the if block
(Yee Cheng Chin).
If the ifdef conditions within the if block evaluates to false, then the
generated code will have the if block apply to the next statement
instead. Use a curly brace to properly scope the if block.
related: #20478
closes: #20584
Signed-off-by: Yee Cheng Chin <ychin.git@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0685: clipboard.c does not get the Wayland CFLAGS on GTK2
Problem: clipboard.c relies on the GTK include flags from
pkg-config to pull in the Wayland headers. This is not
guaranteed: GTK2 does not add them, and Wayland clipboard
support is independent of the GUI.
Solution: Add $(WAYLAND_CFLAGS) and $(WAYLAND_CPPFLAGS) to the
clipboard.c compile rule so it always compiles, consistent
with the other Wayland files (Christoffer Aasted).
closes: #20576
Signed-off-by: Christoffer Aasted <dezzadk@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Doug Kearns [Sun, 21 Jun 2026 13:03:21 +0000 (13:03 +0000)]
patch 9.2.0684: :reg # does not display the value of the '#' register
Problem: ':registers #' does not display the value of the '#' register.
Solution: Filter the '#' :registers output on a '#' arg instead of '%'
(Doug Kearns).
closes: #20589
Signed-off-by: Doug Kearns <dougkearns@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Sun, 21 Jun 2026 12:55:58 +0000 (12:55 +0000)]
patch 9.2.0683: filetype completion mishandles finished sub options
Problem: ":filetype plugin<Tab>" gives "pluginindent" because a
sub option before the cursor is treated as already given.
Solution: only skip plugin and indent when followed by white space.
(glepnir)
closes: #20594
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
zeertzjq [Sun, 21 Jun 2026 12:52:36 +0000 (12:52 +0000)]
patch 9.2.0682: Wrong dot-repeat when calling complete() while filtering completion
Problem: Wrong dot-repeat when calling complete() while filtering
Ctrl-N completion.
Solution: Also check compl_started for whether completion is active.
(zeertzjq)
related: neovim/neovim#40346
closes: #20595
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0681: configure: -lruby added even for a dynamic ruby build
Problem: configure: -lruby is added to the link flags even for a
dynamic ruby build, creating a hard dependency on the Ruby
library (Johannes Schindelin, after v9.2.0674).
Solution: For a dynamic build filter out -l flags from librubyarg.
Hirohito Higashi [Sat, 20 Jun 2026 16:06:58 +0000 (16:06 +0000)]
patch 9.2.0679: [security]: Out-of-bounds read with text property virtual text
Problem: [security]: Out-of-bounds read with text property virtual text.
A crafted undo file can declare a virtual-text property whose
offset points outside the line's property data, so reading the
virtual text reads out of bounds. This completes the count-only
check added in 9.2.0670.
Solution: Validate the virtual-text offset and length of each property
against the available property data before turning the offset
into a pointer.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0678: [security]: potential powershell code execution in zip.vim
Problem: [security]: potential powershell code execution in zip.vim
(DDugs)
Solution: Cleanup zip.vim, introduce PSEscape() to escape() potential powershell code,
use consistent s:Escape() in the various PowerShell functions
Hirohito Higashi [Thu, 18 Jun 2026 20:12:48 +0000 (20:12 +0000)]
ccfilter: buffer overflow in ccfilter.c with crafted compiler output
Problem: ccfilter: can overflow fixed-size buffers (FileName, BasePath,
Reason) when parsing crafted compiler output, because the
sscanf() calls read "%[" fields without a width limit (DDugs)
Solution: Give every sscanf() "%[" conversion a width limit derived from
the buffer size (Hirohito Higashi).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Thu, 18 Jun 2026 19:31:18 +0000 (19:31 +0000)]
patch 9.2.0676: MS-Windows: cannot switch to a buffer with '%' in its name
Problem: On MS-Windows it is not possible to switch to a buffer by name
with ":b" (including via command-line completion) when the
buffer name contains '%'.
Solution: Do not escape '%' and '#' for the ":buffer" command on
MS-Windows. Since ":buffer" has no EX_XFILE these are not
expanded, and escaping them as "\%"/"\#" makes buffer name
matching fail when '%'/'#' is in 'isfname' (the backslash is
treated as a path separator).
fixes: #20529
closes: #20548
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: configure: clears dynamic ruby linker flags, after setting those
Solution: Make configure keep Ruby linker arguments when Ruby support is
built with --enable-rubyinterp=dynamic. The dynamic Ruby
branch clears RUBY_LIBS before setting DYNAMIC_RUBY, so add librubyarg
after that branch instead of before it (Vladimír Marek).
related: #17906
closes: #20558
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Vladimír Marek [Thu, 18 Jun 2026 19:12:40 +0000 (19:12 +0000)]
runtime(tar): fix lz4 extraction on non-Linux systems
Patch 9.2.0306 fixed malformed lz4 extraction commands by using "tar -I lz4"
on Linux and leaving non-Linux tar implementations to auto-detect lz4 input.
That still fails on systems where tar does not support either -I lz4 or
automatic lz4 decompression, such as Solaris /usr/bin/tar.
Keep the existing Linux path using GNU tar's "-I lz4" support. For non-Linux
systems, use lz4 explicitly to decompress the archive to stdout and feed the
resulting tar stream to the configured tar extraction command. This is the
same style tar.vim already used for lz4 archives before patch 9.2.0306.
Follow-up for #19925
closes: #20555
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Test_recover_corrupted_swap_file1() copies prebuilt corrupt swap samples
before recovering them. In an out-of-source-tree build those sample
files may be symlinks into the source tree. filecopy() preserves
symlinks, so the copied target may remain a symlink. Recovery opens
swap files with O_NOFOLLOW, so that copied symlink cannot be opened.
Read the sample as a blob and write it back so the recovery target is a
real swap file.
closes: #20561
Signed-off-by: Vladimír Marek <vlmarek13@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Hirohito Higashi [Thu, 18 Jun 2026 18:55:52 +0000 (18:55 +0000)]
patch 9.2.0672: corrupted text property causes internal error
Problem: Restoring a crafted/corrupted persistent-undo file and then
inspecting the line (e.g. prop_list()) reports the bad text
property data as an internal error. On builds with
ABORT_ON_INTERNAL_ERROR (the sanitizer CI job) this aborts the
process even inside assert_fails(), so the test added in
9.2.0670 fails deterministically.
Solution: The prop data only comes from an untrusted persistent-undo
file, so detecting it is input validation, not an internal
bug. Report it with a normal error (emsg) instead of iemsg,
matching how other corrupted persistent files are reported.
The out-of-bounds read is still prevented.
closes: #20559
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files
Problem: [security]: possible out-of-bounds read with sodium encrypted
files (cipher-creator)
Solution: Verify that there is enough space before calling
crypto_secretstream_xchacha20poly1305_init_pull()
Hirohito Higashi [Wed, 17 Jun 2026 19:37:28 +0000 (19:37 +0000)]
patch 9.2.0666: Terminal-Normal mode does not color empty lines with a background color
Problem: In Terminal-Normal mode an empty line that was erased with a
background color (CSI K after e.g. CSI 100m) is shown without
that color, although it is colored while the job is running.
Solution: Reset the empty line's background attribute only when the fill
is the terminal's default color, so that a Visual selection
still shows on a plain empty line, while an explicitly set
background color is kept.
closes: #20547
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0663: [security]: runtime(netrw): code injection in local file deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" injects arbitrary Ex commands when the file is
deleted (cipher-creator)
Solution: Use fnameescape() to correctly escape the file name
(Yasuhiro Matsumoto).
patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
Problem: [security]: a crafted spell file with a self-referential
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :spelldump
(cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do (Yasuhiro Matsumoto)
patch 9.2.0661: unintended wipe of Vim's temp dir, causes errors
Problem: Unintended wipe of Vim's temp dir, causes errors and may also
leak temporary data (David Leadbeater)
Solution: In vim_tempname() verify the temp directory still exists (via
its open file descriptor) and re-create it if it was removed.
patch 9.2.0658: xxd: signed integer overflow in huntype()
Problem: malformed revert input with an overlong address column causes
signed integer overflow (UB) in huntype().
Solution: perform the offset/bit shifts through unsigned types
related: neovim/neovim#40246
Supported by AI
Co-Authored-by: Justin M. Keyes <justinkz@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
glepnir [Tue, 16 Jun 2026 19:11:38 +0000 (19:11 +0000)]
patch 9.2.0656: completion: using wrong tolower() in smartcase filtering
Problem: ins_compl_equal_sc() uses MB_TOLOWER() on single bytes, but
it indexes raw bytes, not decoded characters (after v9.1.0651).
Solution: Use TOLOWER_LOC(), matching what STRNICMP()/ins_compl_equal()
does (glephunter).
closes: #20535
Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0654: GTK4: using uninitialised colors in gui_mch_init()
Problem: GTK4: using uninitialised colors in gui_mch_init()
Solution: Use g_new0() instead of g_new() (Yasuhiro Matsumoto)
gui.fgcolor/bgcolor/spcolor were allocated with g_new(), leaving the
GdkRGBA fields uninitialised. On widget realize/map GTK runs
gui_mch_new_colors() -> surface_fill_bg() before gui_mch_set_bg_color()
assigns them, so cairo_set_source_rgba() branched on uninitialised
values (reported by valgrind). Use g_new0() to zero-initialise.
closes: #20538
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>