From: thinca <thinca@gmail.com>
Date: Tue, 17 Mar 2026 18:52:58 +0000 (+0000)
Subject: patch 9.2.0185: buffer overflow when redrawing custom tabline
X-Git-Tag: v9.2.0185^0
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ed7c7fb2257076181afefe13b8967c9afec9b0d6;p=thirdparty%2Fvim.git

patch 9.2.0185: buffer overflow when redrawing custom tabline

Problem:  When drawing a custom tabline, if topframe->fr_width is
          larger than Columns (possible during tab closure with
          showtabpanel=1), Vim writes past the end of the
          TabPageIdxs[] array.
Solution: Cap the column limit at Columns to ensure TabPageIdxs is
          never accessed out-of-bounds (thinca).

closes: #19725

Supported by AI

Signed-off-by: thinca <thinca@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/screen.c b/src/screen.c
index fc99ac3726..acef4d38bd 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -1439,6 +1439,9 @@ win_redr_custom(
     if (wp == NULL)
     {
 	// Fill the TabPageIdxs[] array for clicking in the tab pagesline.
+	int end_col = firstwin->w_wincol + topframe->fr_width;
+	if (end_col > Columns)
+	    end_col = Columns;
 	col = firstwin->w_wincol;
 	len = 0;
 	p = buf;
@@ -1446,12 +1449,14 @@ win_redr_custom(
 	for (n = 0; tabtab[n].start != NULL; n++)
 	{
 	    len += vim_strnsize(p, (int)(tabtab[n].start - p));
-	    while (col < len)
+	    while (col < len && col < end_col)
 		TabPageIdxs[col++] = fillchar;
+	    if (col >= end_col)
+		break;
 	    p = tabtab[n].start;
 	    fillchar = tabtab[n].userhl;
 	}
-	while (col < firstwin->w_wincol + topframe->fr_width)
+	while (col < end_col)
 	    TabPageIdxs[col++] = fillchar;
     }
 
diff --git a/src/testdir/test_tabline.vim b/src/testdir/test_tabline.vim
index e02e4f303e..21f66cfcde 100644
--- a/src/testdir/test_tabline.vim
+++ b/src/testdir/test_tabline.vim
@@ -158,6 +158,20 @@ func Test_mouse_click_in_tab()
   call RunVim([], [], "-e -s -S Xclickscript -c qa")
 endfunc
 
+func Test_tabline_TabPageIdxs_overflow()
+  " Regression: TabPageIdxs[] overflow when closing a tab with custom
+  " 'tabline' and showtabpanel=1 (firstwin->w_wincol + topframe->fr_width
+  " could exceed Columns).
+  CheckFeature tabpanel
+  let before = [
+      \ 'set showtabpanel=1',
+      \ 'set tabline=foo',
+      \ 'call feedkeys(":qa!\<CR>")',
+      \ ]
+  call RunVim(before, [], '-p Xtabline_overflow_a Xtabline_overflow_b')
+  call assert_equal(0, v:shell_error, 'Vim subprocess must not crash (TabPageIdxs overflow)')
+endfunc
+
 func Test_tabline_showcmd()
   CheckScreendump
 
diff --git a/src/version.c b/src/version.c
index 0bfaa8e7a5..1f2cf0ec24 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    185,
 /**/
     184,
 /**/