patch 9.2.0325: runtime(tar): bug in zstd handling
Problem: patch 9.2.0325: runtime(tar): bug in zstd handling
Solution: use correct --zstd argument, separated from other arguments,
rework testing framework (Aaron Burrow).
The tar.vim plugin allows vim to read and manipulate zstd archives,
but it had a bug that caused extraction attempts to fail.
Specifically, if the archive has a .tar.zst or .tzst extension, then
the code was generating invalid extraction commands that looked like
this:
tar --zstdpxf foo.tar.zst foo
When they should be like this:
tar --zstd -pxf foo.tar.zst foo
This patch changes the flag manipulation logic so that --zstd isn't
glued to pxf.
The labor for this change was divided between ChatGPT 5.4 and me.
ChatGPT 5.4 identified the issue (from a code scan?), and I wrote
the patch and tested vim.
related: #19930
Signed-off-by: Aaron Burrow <burrows@fastmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
The reference dump for Test_popupwin_opacity_wide_2 was not updated
when patch 9.2.0319 changed the blending behavior for double-width
characters at popup padding boundaries. The covered half of a
double-width character now correctly shows a space instead of the
full character.
related: #19881
closes: #19934
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0321: MS-Windows: No OpenType font support
Problem: MS-Windows: No OpenType font support
Solution: Allow specifying OpenType font features directly in 'guifont'
(Yasuhiro Matsumoto).
Allow specifying OpenType font features directly in 'guifont' using
the ':f' option (e.g., :set guifont=Cascadia_Code:h14:fss19=1:fcalt=0).
Each ':fXXXX=N' sets a single OpenType feature tag with a parameter
value. Multiple features can be specified by repeating the ':f' option.
This only takes effect when 'renderoptions' is set to use DirectWrite
(type:directx). Default features (calt, liga, clig, rlig, kern) are
preserved unless explicitly overridden.
closes: #19857
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-Authored-By: Paul Ollis <paul@cleversheep.org> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0319: popup: rendering issues with partially transparent popups
Problem: popup: rendering issues with partially transparent popups.
Solution: Redraw the area under the old popup position on move or
resize. Apply the background blend only to the covered half of
a double-width character. (Yasuhiro Matsumoto)
closes: #19881
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0318: cannot configure opacity for popup menu
Problem: cannot configure opacity for popup menu
Solution: Add the 'pumopt' option, consolidate existing pum options into
the pumopt option (Yasuhiro Matsumoto)
closes: #19931
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0316: [security]: command injection in netbeans interface via defineAnnoType
Problem: [security]: The netbeans defineAnnoType command passes typeName, fg and bg
unsanitized to coloncmd(), allowing a malicious server to inject
arbitrary Ex commands via '|'. Similarly, specialKeys does not
validate key tokens before building a map command.
Solution: Validate typeName, fg and bg against an allowlist of safe
characters before passing them to coloncmd()
Add bounds checking and integer overflow guards across multiple files
as a defensive measure. While these code paths are unlikely to be
exploitable in practice, the guards prevent undefined behavior in
edge cases.
- libvterm/vterm.c: use heap tmpbuffer instead of stack buffer in
vsprintf() fallback path
- channel.c: validate len in channel_consume() before mch_memmove()
- spell.c: use long instead of int for addlen to avoid signed overflow
in size_t subtraction
- alloc.c: add SIZE_MAX overflow check in ga_grow_inner() before
itemsize multiplication
- list.c: add overflow check before count * sizeof(listitem_T)
- popupwin.c: add overflow check before width * height allocation
- insexpand.c: add overflow check before compl_num_bests multiplication
- regexp_bt.c: replace sprintf() with vim_snprintf() in regprop()
- spellfile.c: use SIZE_MAX instead of LONG_MAX for allocation overflow
check
closes: #19904
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0314: channel: can bind to all network interfaces
Problem: channel: can bind to all network interfaces in ch_listen()
(after v9.2.0153)
Solution: Restrict to a valid hostname, do not allow to bind on all
network interfaces (Zdenek Dohnal).
This will prevent unintentional binding the process to public network
interfaces, and opening Vim to communication from outside network if
firewall allows it.
related: #19231
closes: #19799
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0311: redrawing logic with text properties can be improved
Problem: redrawing logic with text properties can be improved in
win_line()
Solution: Avoid repeated sorts, use stack storage for small
properties, pre-compute whether trailing virtual text follows
(Yasuhiro Matsumoto)
closes: #19880
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()
problem: unnecessary work in vim_strchr() and find_term_bykeys()
Solution: Redirect vim_strchr() to vim_strbyte() for ASCII input
Add an early exit to find_term_bykeys() using the terminal
leader table, mirroring check_termcode(). Reduces instruction
count on startup by about 27%. (Yasuhiro Matsumoto)
closes: #19902
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0307: more mismatches between return types and documentation
Problem: more mismatches between return types and documentation
Solution: Update documentation, fix return type for remote_foreground()
and test_mswin_event() (Hirohito Higashi)
Doc summary table fixes:
- ch_info: String -> Dict
- spellbadword: String -> List
- undotree: List -> Dict
- test_getvalue: any -> Number
- instanceof, popup_filter_menu, popup_filter_yesno: Number -> Bool
- remote_foreground: Number -> none
- test_mswin_event: bool -> Bool
Detail "Return type:" fixes:
- instanceof: Number -> vim9-boolean
- remote_foreground: Number -> void
- popup_filter_menu, popup_filter_yesno: Number -> vim9-boolean
related: #19922
closes: #19923
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0306: runtime(tar): some issues with lz4 support
Problem: runtime(tar): some issues with lz4 support
Solution: Fix bugs (see below) (Aaron Burrow)
The tar plugin allows users to extract files from tar archives that are
compressed with lz4. But, tar#Extract() builds malformed extraction commands
for lz4-compressed tar archives. This commit fixes three issues in that code.
The first affects archives with a .tlz4 extension and the other two affect
archives with .tar.lz4 extension (but one of these is symmetric to the issue
that .tlz4 archives had).
(1) When trying to extract .tlz4 archives the command created by
tar#Extract looked like this:
tar -I lz4pxf foo.tlz4 foo
This isn't right. It should be something like this:
tar -I lz4 -pxf foo.tlz4 foo
This was happening because tar.plugin is just substituting on the
first - in "tar -pxf". This works fine if we just add a simple flag for
extraction (eg, z for .tgz), but for lz4 we need to add "-I lz4".
I don't believe that there is an obvious good way to fix this without
reworking the way the command is generated. Probably we should collect
the command and flags separately and the flags should be stored in a
set. Then put everything together into a string just before issuing it
as an extraction command. Unfortunately, this might break things for users
because they have access to tar_extractcmd.
This patch just makes the substitution a little bit more clever so that it
does the right thing when substituting on a string like "tar -pxf".
(2) .tar.lz4 extractions had the same issue, which my patch fixes in
the same way.
(3) .tar.lz4 extractions had another issue. There was a space missing
in the command generated by tar#Extract. This meant that commands
looked like this (notice the lack of space between the archive and output
file names):
tar -I lz4pxf foo.tar.lz4foo
This patch just puts a space where it should be.
Finally, I should note that ChatGPT 5.4 initially identified this issue
in the code and generated the test cases. I reviewed the test cases,
wrote the patch, and actually ran vim against the tests (both with and
without the patch).
closes: #19925
Signed-off-by: Aaron Burrow <burrows@fastmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime(vim9): Fix dist#vim9#Open() spaced paths and SIGPIPE crashes
Problem: dist#vim9#Open() fails to open files with spaces on Linux
because Launch() splits the command string. Also,
background GUI viewers (e.g., xdg-open) crash with SIGPIPE
when Vim destroys the default job_start() IO pipes.
Solution: Use job_start() with 'sh -c' to let the POSIX shell parse
the shellescaped quotes safely. Set 'in_io', 'out_io', and
'err_io' to 'null' to completely detach the background
process and prevent pipe crashes. Unify the Launch()
execution block across all operating systems.
closes: #19928
fixes: #19916
Signed-off-by: Furkan Sahin <furkan-dev@proton.me> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0305: mismatch between return types and documentation
Problem: mismatch between return types and documentation
Solution: Fix documentation, update f_err_teapot() return type to void
(Hirohito Higashi)
- Fix summary table in builtin.txt: feedkeys, foreground, setcharsearch,
term_wait, test_void, wildtrigger, ch_sendraw from non-none to none;
listener_remove and prop_add from none to Number
- Fix err_teapot in evalfunc.c: ret_number_bool to ret_void
- Fix "Return type:" in detailed doc sections (64 functions across builtin.txt,
channel.txt, terminal.txt, popup.txt, testing.txt, textprop.txt) from wrong
types to void
- Add missing "Return type: void" for prompt_setcallback and prop_add_list
closes: #19922
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix
Problem: When the terminal is very large, test for 9.2.0285 doesn't
trigger an ASAN error without the fix.
Solution: Use a window with fixed height (zeertzjq)
closes: #19924
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0303: tests: zip plugin tests don't check for warning message properly
Problem: zip plugin tests may match messages from previous test cases
when checking for warning message.
Solution: Clear messages at the start of these tests (zeertzjq).
closes: #19926
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(netrw): RFC2396 decoding double escaping spaces
(lilydjwg, after 3e60f03d942d6bb0f7eac)
Solution: Remove escape() call, since we are using fnameescape() anyhow
patch 9.2.0301: Vim9: void function return value inconsistent
Problem: Vim9: void function return value inconsistent between
script and :def
Solution: Make void built-in functions like bufload() return void
consistently (Hirohito Higashi)
In Vim9 script, calling a void built-in function (e.g. bufload()) at the
script level did not set rettv to VAR_VOID, making it appear to return
0. Inside :def it correctly returned VAR_VOID and raised E1031. Set
rettv to VAR_VOID after calling a ret_void built-in function in Vim9
script so the behavior is consistent.
Also fix the documentation for bufload() and ch_logfile() to correctly
state that the return type is void.
patch 9.2.0300: The vimball plugin needs some love
Problem: The vimball plugin needs some love
(syndicate)
Solution: Clean-up, refactor and update the plugin,
in particular, catch path traversal attacks
This change does the following
- Clean up Indentation and remove calls to Decho
- Increase minimum Vim version to 7.4 for mkdir()
- Use mkdir() consistently
- Update Metadata Header
- Remove check for fnameescape()
- Catch path traversal attacks
- Add vimball basic tests
- Remove mentioning of g:vimball_mkdir in documentation
patch 9.2.0299: runtime(zip): may write using absolute paths
Problem: runtime(zip): may write using absolute paths
(syndicate)
Solution: Detect this case and abort on Unix, warn in the documentation
about possible issues
patch 9.2.0296: Redundant and incorrect integer pointer casts in drawline.c
Problem: Currently `colnr_T` and `int` and the same type, so casting
`int *` to `colnr_T *` is redundant. Additionally, even if
they are changed to different types in the future, these casts
are incorrect as they won't work on big-endian platforms.
Solution: Remove the casts. Also fix two cases of passing false instead
of 0 to an integer argument (zeertzjq).
related: #19672
closes: #19907
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'
Problem: 'showcmd' shows wrong Visual block size with 'linebreak' after
end char (after 7.4.467).
Solution: Exclude 'linebreak' from end position. Also fix confusing test
function names.
closes: #19908
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0294: if_lua: lua interface does not work with lua 5.5
Problem: if_lua: lua interface does not work with lua 5.5
(Lyderic Landry)
Solution: Use the new lua API `luaL_openselectedlibs()`
(Yee Cheng Chin)
Lua 5.5 removed the API function `openlibs` with `openselectedlibs`,
with `luaL_openlibs` replaced by a macro that just calls the new
`luaL_openselectedlibs` in the headers (see lua/lua@d738c8d18). This
broke Vim's dynamic Lua build as we try to redefine `luaL_openlibs`
ourselves and also this function can no longer be loaded from the lib.
Update the code to use the new API call instead to fix the issue.
fixes: #19814
closes: #19842
closes: #19909
Signed-off-by: Yee Cheng Chin <ychin.git@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0293: :packadd may lead to heap-buffer-overflow
Problem: :packadd may lead to heap-buffer-overflow when all entries in
'runtimepath' have the same length (after 9.2.0291).
Solution: Check for comma after current entry properly (zeertzjq).
related: #19854
closes: #19911
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0292: E340 internal error when using method call on void value
Problem: E340 internal error when using method call on void value
(Peter Kenny)
Solution: Check for void value (Hirohito Higashi)
Using a method call on a void return value (e.g. "echo F()->empty()"
where F() returns void) caused an internal error E340. Now it properly
reports E1031 or E1186 depending on the context.
Changes:
- eval.c: check for void value before -> method call at runtime
- vim9expr.c: check for void type before -> method call at compile time
- vim9execute.c: check for void value in builtin function arguments and in
ISN_STORE
fixes: #19897
closes: #19912
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
John Marriott [Fri, 3 Apr 2026 15:08:48 +0000 (15:08 +0000)]
patch 9.2.0291: too many strlen() calls
Problem: too many strlen() calls
Solution: refactor concat_fname() and remove calls to strlen()
(John Marriott)
Function `concat_fnames()` can make up to 5 calls to `STRLEN()` (either
directly or indirectly via `STRCAT()`). In many cases the lengths of
arguments `fname1` and/or `fname2` are either known or can simply be
calculated.
This Commit refactors this function to accept the lengths of arguments
`fname1` and `fname2` as arguments. It also adds new argument `ret` to
return the resulting string as a `string_T`.
Additionally:
- function `add_pack_dir_to_rtp()` in `scriptfile.c`:
Use a `string_T` to store local variables `new_rtp` and `afterdir`.
Replace calls to `STRCAT()` with calls to `STRCPY()`.
Change type of variable `keep` to `size_t` for consistency with
other lengths.
- function `qf_get_fnum()` in `quickfix.c`:
Use a `string_T` to store local variables `ptr` and `bufname`
- function `qf_push_dir()` in `quickfix.c`:
Use a `string_T` to store local variable `dirname`.
Replace call to `vim_strsave()` with `vim_strnsave()`.
- function `qf_guess_filepath()` in `quickfix.c`:
Use a `string_T` to store local variable `fullname`.
- function `make_percent_swname()` in `memline.c`:
Rename some variables to better reflect their use.
Use a `string_T` to store local variables `d` and `fixed_name`.
Slightly refactor to remove need to create an extra string.
- function `get_file_in_dir()` in `memline.c`:
Use a `string_T` to store local variables `tail` and `retval`.
Move some variables closer to where they are used.
- function `cs_resolve_file()` in `if_cscope.c`:
Use a `string_T` to store local variable `csdir`.
Remove one call to `STRLEN()`.
- function `add_pathsep()` in `filepath.c`:
Refactor and remove 1 call to `STRLEN()`
- function `set_init_xdg_rtp()` in `option.c`:
Use a `string_T` to store local variable `vimrc_xdg`.
closes: #19854
Co-authored-by: Christian Brabandt <cb@256bit.org> Signed-off-by: John Marriott <basilisk@internode.on.net> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Amiga: no support for AmigaOS 3.x
Solution: Add support for building Vim on classic AmigaOS 3.x with the
bebbo cross-compiler and libnix (-noixemul) runtime
(Duncan Bowring).
The existing Make_ami.mak targets AmigaOS 4 (clib2), AROS, and MorphOS.
This patch adds a fourth target for classic 68k AmigaOS 3.x systems
(A1200, A4000, accelerated A500/A2000) using:
```
make -f Make_ami.mak UNM=AmigaOS3 BUILD=normal
```
Changes:
os_amiga.c:
- Add 256 KiB __stack cookie for OS3 (conservative for limited RAM)
- Add safe_Lock() wrapper to suppress "Please insert volume" system
requesters during path probing (benefits all Amiga targets)
- Suppress system requesters globally in mch_init() via pr_WindowPtr=-1
(Vim probes many paths at startup; Lock()/Open() on non-existent
volume names triggers blocking system requesters)
- Fix mch_get_host_name() for OS3 (libnix has no gethostname)
- Fix Delay() prototype for non-LATTICE compilers
- Fix nilfh file handle leak on error exit in mch_check_win()
os_amiga.h:
- Add fchown/fchmod/ftruncate no-op stubs for OS3/libnix
os_amiga_stubs.c (new):
- IM function stubs (referenced by optiondefs.h, no X11 on Amiga)
- mch_rmdir() via AmigaDOS DeleteFile()
- getpwuid()/getgrgid()/getuid() stubs (single-user system)
Make_ami.mak:
- Add AmigaOS3 target with -noixemul, -std=gnu99, -DWORDS_BIGENDIAN
blowfish.c:
- Accept WORDS_BIGENDIAN or AMIGA without requiring HAVE_CONFIG_H
xdiff/xmacros.h:
- Make SIZE_MAX fallback unconditional (not just hpux/VMS)
All OS3-specific changes are guarded by:
#if defined(__GNUC__) && defined(AMIGA) && !defined(__amigaos4__)
Tested on FS-UAE with Workbench 3.1: 23 automated tests passing.
Binary size: 2.2 MiB with -Os -m68020 -DFEAT_NORMAL.
This is the first modern Vim build for classic 68k AmigaOS since
Vim 5.8 circa 1998. Vim was originally released on the Amiga
(Fred Fish Disk 591, 1991).
closes: #19840
Signed-off-by: Duncan Bowring <duncan@bowring.us> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0289: 'linebreak' may lead to wrong Visual block highlighting
Problem: 'linebreak' may lead to wrong Visual block highlighting when
end char occupies multiple cells (after 7.4.467).
Solution: Exclude 'linebreak' from the ending column instead of setting
'virtualedit' temporarily (zeertzjq).
fixes: #19898
closes: #19900
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime(doc): adjust :h 'autowrite' and :h 'autowriteall'
- Don't go over 78 columns.
- Change the first "and" to "or", as "or" is used below.
- Change "takes one" to "switches", as "one" may be mistaken as
referring to the command instead of the user.
- Use backticks in :h 'autowriteall' like in :h 'autowrite'.
closes: #19859
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0288: libvterm: signed integer overflow parsing long CSI args
Problem: Accumulating CSI argument digits without an upper bound causes
signed integer overflow when the argument exceeds LONG_MAX.
Solution: Clamp CSI argument accumulation to CSI_ARG_MISSING to prevent
signed integer overflow (Yasuhiro Matsumoto).
closes: #19894
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0286: still some unnecessary (int) casts in alloc()
Problem: still some unnecessary (int) casts in alloc()
Solution: Remove more unnecessary (int) casts before alloc() calls
(Yasuhiro Matsumoto).
Follow-up to patch 9.2.0283. Remove remaining (int) casts in
vim9script.c and netbeans.c.
vim9script.c: lengths are derived from STRLEN() on file paths,
bounded by PATH_MAX. netbeans.c: all operands are already int,
so the (int) cast is redundant and no truncation can occur.
related: #19888
closes: #19893
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0285: :syn sync grouphere may go beyond end of line
Problem: :syn sync grouphere may go beyond end of line.
Solution: Start searching for the end of region at the end of match
instead of a possibly invalid position (zeertzjq).
closes: #19896
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count
Problem: When a tabpanel expression returns a different number of lines on
successive evaluations, the computed row offset can become negative,
causing screen_fill() to receive an invalid start_row and crash
(after v9.1.1391).
Solution: Clamp the row argument in screen_fill_tailing_area() to zero,
add a safety check in screen_fill() for negative start_row
(Michał Majchrowicz)
Supported by AI
Co-authored-by: Michał Majchrowicz <mmajchrowicz@afine.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime(sh): Keep function name patterns engine neutral
Request less backtracking to function-name candidates for
nonlinear patterns with any regexp engine BUT force using
the old engine with these patterns to avoid incurring an
additional penalty, according to ":syntime report", when the
new regexp engine is preferred.
fixes: #19847
closes: #19849
Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime(doc): clarify term_start() I/O behavior for Unix pty and MS-Windows ConPTY
Explain how stdin/stdout/stderr are connected in term_start():
- On Unix, they default to pty; only "err_cb" switches stderr to a pipe,
which may cause output order differences due to buffering.
- On MS-Windows with ConPTY, they are always pipes and stdout/stderr
share the same pipe, so "err_cb" cannot separate them.
Test_viminfo_len_overflow tries to allocate ~4GB, which may throw E342
(out of memory) depending on the platform's memory allocation behavior.
This is an acceptable outcome since the test's purpose is to verify
that Vim does not crash on a crafted viminfo entry.
closes: #19891
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows
Problem: tests: Test_netrw_FileUrlEdit.. fails on Windows
(after 3e60f03d942d6bb0f7)
Solution: Skip the test on Windows (Yasuhiro Matsumoto).
The Test_netrw_FileUrlEdit_pipe_injection() test fails on Windows with
E303 because '|' is not a valid filename character on Windows. Since
the pipe character cannot appear in a Windows filename, the command
injection vector this test guards against does not apply on Windows.
closes: #19890
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0279: terminal: out-of-bounds write with overlong CSI argument list
Problem: libvterm CSI parser does not bounds-check argi against
CSI_ARGS_MAX, allowing excess ';'-separated arguments to
write past the end of the args array (sentinel404).
Solution: Drop excess arguments.
patch 9.2.0278: viminfo: heap buffer overflow when reading viminfo file
Problem: Reading a crafted viminfo file can cause a heap buffer
overflow because the length value from getdigits() is cast to
int, truncating large size_t values
Solution: Remove the (int) cast when calling alloc() (sentinel404)
Problem: tests: test_modeline.vim fails (after v9.2.0276)
Solution: Rewrite the tests to use the existing s:modeline_fails()
function, update documentation (zeertzjq).
Signed-off-by: zeertzjq <zeertzjq@outlook.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: modeline security bypass
Solution: disallow mapset() from secure mode, set the P_MLE flag for the
'complete', 'guitabtooltip' and 'printheader' options.
patch 9.2.0274: BSU/ESU are output directly to the terminal
Problem: BSU/ESU are output directly to the terminal
Solution: Route them through out_buf() and flush the output directly,
increase the OUT_SIZE terminal buffer (Yasuhiro Matsumoto)
Route synchronized-output control sequences through out_buf and flush
explicitly at protocol boundaries, instead of forcing BSU/ESU through
ui_write() directly.
Also increase the terminal output buffer from 2047 to 8191 bytes so
large redraws are emitted in fewer writes.
The important guarantee here is terminal-visible ordering: BSU must
reach the terminal before the batched redraw bytes, ESU must reach the
terminal after them, and FLUSH must emit ESU and BSU together, then
flush immediately.
Benchmark: PTY redraw workload with TERM=xterm-256color, long wrapped
lines, cursorline, listchars, horizontal scrolling, and repeated redraw!.
write syscalls: 8514 -> 5094 (-40.2%)
wall time: 0.568s -> 0.495s (-12.9%) on valid runs in this environment
closes: #19862
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0272: [security]: 'tabpanel' can be set in a modeline
Problem: 'tabpanel' can be set in a modeline
Solution: Set the P_MLE flag for the 'tabpanel' option, disable
autocmd_add()/autocomd_delete() functions in restricted/secure
mode.
Paul Ollis [Sun, 29 Mar 2026 14:21:11 +0000 (14:21 +0000)]
patch 9.2.0270: test: trailing spaces used in tests
Problem: test: trailing spaces used in tests
Solution: Rewrite tests to avoid trailing spaces (Paul Ollis).
Some tests currently rely on trailing whitespace at the end of lines,
escaped with '\'. I have demonstrated in another PR, such spaces can be
inadvertently removed and this is difficult to spot.
Note: there are more trailing spaces in a few more test files, see
testdir/test_codestyle.vim. Those are not yet removed.
closes: #19838
Signed-off-by: Paul Ollis <paul@cleversheep.org> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0266: typeahead buffer overflow during mouse drag event
Problem: typeahead buffer overflow during mouse drag event
Solution: Change the guard from 5 to 10 to account for the worst case
(Yasuhiro Matsumoto).
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per
iteration, but a mouse event writes up to 7 bytes (3 header + 4
coordinates) and a scroll event with modifiers writes up to 10 bytes
(3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging,
3+ events could queue up and overflow the 20-byte buffer, corrupting
adjacent static variables and causing garbage bytes (including Ctrl-Z)
to be fed into the input stream, which triggered nv_suspend/ex_stop.
closes: #19851
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
thinca [Sat, 28 Mar 2026 10:07:27 +0000 (10:07 +0000)]
patch 9.2.0265: unnecessary restrictions for defining dictionary function names
Problem: unnecessary restrictions for defining dictionary function
names
Solution: Allow defining dict function with bracket key that is not a
valid identifier (thinca)
In Vim script, "function obj.func()" and "function obj['func']()" both
define a dictionary function. However, the bracket form required the
key to match function naming rules (eval_isnamec), so
"function obj['foo-bar']()" failed with E475.
Assigning and calling already work: "let obj['foo-bar'] = obj.func"
and "call obj['foo-bar']()" are valid. Only the definition was
incorrectly restricted.
Skip the identifier check when the name comes from fd_newkey (i.e. the
key was given in bracket notation). Dictionary keys may be any string.
patch 9.2.0263: hlset() cannot handle attributes with spaces
Problem: hlset() cannot handle attributes with spaces
Solution: Handle attributes with spaces by quoting those
(Yasuhiro Matsumoto).
hlset(hlget('Normal')) fails with E416 when a highlight attribute value
contains spaces (e.g. font name "Monospace 10"). hlg_add_or_update()
builds a string like "font=Monospace 10" and passes it to do_highlight(),
whose parser splits on whitespace and treats "10" as a separate key
without "=".
Fix by quoting values with single quotes (e.g. font='Monospace 10')
when the value contains spaces and the attribute is a key=value pair.
do_highlight() already supports single-quoted values.
closes: #19843
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Pierluigi Lenoci [Fri, 27 Mar 2026 15:49:27 +0000 (15:49 +0000)]
patch 9.2.0262: invalid lnum when pasting text copied blockwise
Problem: invalid lnum when pasting text copied blockwise
(KillTheMule)
Solution: Subtract nr_lines from curwin->w_cursor.lnum when calling
changed_lines() in do_put() (Pierluigi Lenoci)
When doing a blockwise paste beyond the end of the buffer, new lines are
appended and nr_lines is incremented accordingly. However, the
changed_lines() call used curwin->w_cursor.lnum as the "lnume" argument
(the first line below the changed lines BEFORE the change), which is
incorrect because the cursor has already been moved past the newly
appended lines.
Fix by subtracting nr_lines from curwin->w_cursor.lnum, so that lnume
correctly reflects the state before the change, as documented in
changed_lines().
Add a listener test to verify the correct values are reported.
Port of neovim/neovim#12733.
fixes: #6660
closes: #19844
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: terminal: redraws are slow (Mao-Yining)
Solution: Disable redrawing in handle_movecursor()
(Yasuhiro Matsumoto)
handle_movecursor callback was calling update_cursor() with redraw=TRUE
on every cursor move inside vterm_input_write(). This triggered
gui_mch_flush() (GdiFlush + DWriteContext_Flush) and TextChangedT
autocmd for each cursor move. ConPTY output contains ~17 cursor moves
per 4KB chunk, each flush taking ~5ms, resulting in 80-110ms per chunk.
Fix by passing FALSE to update_cursor() in handle_movecursor since
write_to_term() already calls update_cursor() with proper redraw after
vterm_input_write() finishes.
Also set vterm_screen_set_damage_merge() to VTERM_DAMAGE_SCROLL so that
damage callbacks are buffered until vterm_screen_flush_damage() instead
of being emitted per cell.
fixes: #19845
closes: #19846
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0260: statusline not redrawn after closing a popup window
Problem: When a popup window overlapping a status line is closed or
hidden, the status line is not redrawn, leaving ghost
artifacts from the popup.
Solution: popup_free() and popup_hide() call
redraw_all_later(UPD_NOT_VALID) which marks window contents
for redraw but does not set w_redr_status. The diff-based path
in may_update_popup_mask() that normally sets w_redr_status
is skipped when redrawing_all_win is TRUE. Add status_redraw_all
calls to ensure status lines are properly redrawn
(Yasuhiro Matsumoto).
closes: #19830
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
patch 9.2.0259: tabpanel: corrupted display during scrolling causing flicker
Problem: tabpanel: corrupted tabpanel during scrolling causing flicker
Solution: When the tabpanel is visible, force a line-by-line redraw in
win_do_lines() similarly to popup handling (Yasuhiro Matsumoto).
When a vertical tabpanel is visible, terminal scroll operations in
win_do_lines() affect the full screen width, corrupting the tabpanel
area. The tabpanel is then redrawn via redraw_tabpanel, causing visible
flicker. Return FAIL to force line-by-line redraw instead, analogous to
the existing popup_visible check.
closes: #19832
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
projects / thirdparty / vim.git / log
