Problem: typeahead buffer overflow during mouse drag event
Solution: Change the guard from 5 to 10 to account for the worst case
(Yasuhiro Matsumoto).
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes
(3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging,
3+ events could queue up and overflow the 20-byte buffer, corrupting
adjacent static variables and causing garbage bytes (including Ctrl-Z)
to be fed into the input stream, which triggered nv_suspend/ex_stop.
closes: #19851
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
# endif
// Keep looping until there is something in the typeahead buffer and more
- // to get and still room in the buffer (up to two bytes for a char and
- // three bytes for a modifier).
+ // to get and still room in the buffer. A mouse event uses up to
+ // 10 bytes: 3 (modifier) + 3 (scroll event) + 4 (coordinates), and a
+ // keyboard input uses up to 7 bytes: 3 (modifier) + 4 (UTF-8 char).
while ((typeaheadlen == 0 || WaitForChar(0L, FALSE))
- && typeaheadlen + 5 + TYPEAHEADSPACE <= TYPEAHEADLEN)
+ && typeaheadlen + 10 + TYPEAHEADSPACE <= TYPEAHEADLEN)
{
if (typebuf_changed(tb_change_cnt))
{
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 266,
/**/
265,
/**/
projects / thirdparty / vim.git / commitdiff
