git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Sun, 3 May 2026 18:32:11 +0000 (18:32 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Sun, 3 May 2026 18:33:39 +0000 (18:33 +0000)
commit	77677c33dec485aadd371da75cce55d449b51798
tree	6de91e273cec227271e1d14efdd8659192140203	tree \| snapshot
parent	190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0	commit \| diff

patch 9.2.0436: Buffer overflow when parsing overlong errorformat lines

Problem:  When an error line in a file passed to :cfile / :cgetfile is
          longer than IOSIZE, qf_parse_file_pfx() copies the tail
          into the fixed-size IObuff with STRMOVE(), overflowing the heap buffer.
          The same code path can also loop indefinitely because
          qf_parse_file_pfx() always returns QF_MULTISCAN when a
          tail is present, and qf_init_ext() unconditionally goes
          to "restofline" without bounding the tail length (Nabih).
Solution: Remove the STRMOVE() into IObuff.  In the QF_MULTISCAN
          branch, alias linebuf into the tail directly and update
          linelen, requiring strict progress (new length less than
          the previous length) before retrying; otherwise ignore
          the line.

closes: #20126

Supported by AI

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/quickfix.c		diff \| blob \| blame \| history
src/testdir/test_quickfix.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history