patch 9.2.0185: buffer overflow when redrawing custom tabline

Problem:  When drawing a custom tabline, if topframe->fr_width is
          larger than Columns (possible during tab closure with
          showtabpanel=1), Vim writes past the end of the
          TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
          never accessed out-of-bounds (thinca).

closes: #19725

Supported by AI

Signed-off-by: thinca <thinca@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/screen.c b/src/screen.c
index fc99ac3726890011aede6eef72ca8d2338ce6892..acef4d38bd67eaa01e3e7ffed1e7a2e6c16cff5f 100644 (file)
--- a/src/screen.c
+++ b/src/screen.c
@@ -1439,6 +1439,9 @@ win_redr_custom(
     if (wp == NULL)
     {
        // Fill the TabPageIdxs[] array for clicking in the tab pagesline.
+       int end_col = firstwin->w_wincol + topframe->fr_width;
+       if (end_col > Columns)
+           end_col = Columns;
        col = firstwin->w_wincol;
        len = 0;
        p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
        for (n = 0; tabtab[n].start != NULL; n++)
        {
            len += vim_strnsize(p, (int)(tabtab[n].start - p));
-           while (col < len)
+           while (col < len && col < end_col)
                TabPageIdxs[col++] = fillchar;
+           if (col >= end_col)
+               break;
            p = tabtab[n].start;
            fillchar = tabtab[n].userhl;
        }
-       while (col < firstwin->w_wincol + topframe->fr_width)
+       while (col < end_col)
            TabPageIdxs[col++] = fillchar;
     }
 

diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index e02e4f303e0929507dfe17166566d979bee2dc5f..21f66cfcdec42bdecc62d7f1f04ca81b632f9a57 100644 (file)
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
   call RunVim([], [], "-e -s -S Xclickscript -c qa")
 endfunc
 
+func Test_tabline_TabPageIdxs_overflow()
+  " Regression: TabPageIdxs[] overflow when closing a tab with custom
+  " 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
+  " could exceed Columns).
+  CheckFeature tabpanel
+  let before = [
+      \ 'set showtabpanel=1',
+      \ 'set tabline=foo',
+      \ 'call feedkeys(":qa!\<CR>")',
+      \ ]
+  call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
+  call assert_equal(0, v:shell_error, 'Vim subprocess must not crash (TabPageIdxs overflow)')
+endfunc
+
 func Test_tabline_showcmd()
   CheckScreendump
 

diff --git a/src/version.c b/src/version.c
index 0bfaa8e7a507fa14e0ba1646e8bda66f7ced05c4..1f2cf0ec2422c0806d14fdaf9e845b3293b96b94 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    185,
 /**/
     184,
 /**/