]> git.ipfire.org Git - thirdparty/vim.git/commit
projects / thirdparty / vim.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9b7dfa2) | patch
patch 9.2.0076: [security]: buffer-overflow in terminal handling v9.2.0076
authorChristian Brabandt <cb@256bit.org>
Mon, 23 Feb 2026 20:29:43 +0000 (20:29 +0000)
committerChristian Brabandt <cb@256bit.org>
Fri, 27 Feb 2026 20:51:55 +0000 (20:51 +0000)
commitbb6de2105b160e729c340631435cd62f3e69bd32
treef66df0c73eb5f5f4a1982d29a989635fbf7961b2tree | snapshot
parent9b7dfa2948c9e1e5e32a5812812d580c7879f4a0commit | diff
patch 9.2.0076: [security]: buffer-overflow in terminal handling

Problem:  When processing terminal output with many combining characters
          from supplementary planes (4-byte UTF-8), a heap-buffer
          overflow occurs. Additionally, the loop iterating over
          cell characters can read past the end of the vterm array
          (ehdgks0627, un3xploitable).
Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure
          sufficient space. Add a boundary check to the character
          loop to prevent index out-of-bounds access.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg

Signed-off-by: Christian Brabandt <cb@256bit.org>
src/terminal.c diff | blob | blame | history
src/testdir/samples/terminal_max_combining_chars.txt [new file with mode: 0644] blob
src/testdir/test_terminal3.vim diff | blob | blame | history
src/version.c diff | blob | blame | history
Mirror of https://github.com/vim/vim.git