vim-patch:9.1.2028: [security]: Buffer-overflow with incomplete multi-byte chars (#37133)

Problem: Buffer overflow in buf_write() when converting incomplete multi-byte characters (Kevin Goodsell) Solution: Make the buffer slightly larger closes: vim/vim#19007 f99de42a9f Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-01-07 03:48:02 +10:00 · 2025-12-28 08:37:55 +08:00
parent 80a8c3d23b
commit 444e1ffe3e
4 changed files with 44 additions and 2 deletions
--- a/test/functional/legacy/crash_spec.lua
+++ b/test/functional/legacy/crash_spec.lua
@@ -63,3 +63,13 @@ it('no crash when writing "Untitled" file fails', function()
  eq('Vim(enew):E502: "Untitled" is a directory', pcall_err(command, 'confirm enew'))
  assert_alive()
 end)
+
+-- oldtest: Test_crash_bufwrite()
+it('no crash when converting buffer with incomplete multibyte chars', function()
+  command('edit ++bin test/old/testdir/samples/buffer-test.txt')
+  finally(function()
+    os.remove('Xoutput')
+  end)
+  command('w! ++enc=ucs4 Xoutput')
+  assert_alive()
+end)
--- a/test/old/testdir/samples/buffer-test.txt
+++ b/test/old/testdir/samples/buffer-test.txt
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -241,4 +241,22 @@ func TearDown()
  call delete('Untitled')
 endfunc

+func Test_crash_bufwrite()
+  let lines =<< trim END
+    w! ++enc=ucs4 Xoutput
+    call writefile(['done'], 'Xbufwrite')
+  END
+  call writefile(lines, 'Xvimrc')
+  let opts = #{wait_for_ruler: 0, rows: 20}
+  let args = ' -u NONE -i NONE -b -S Xvimrc'
+  let buf = RunVimInTerminal(args .. ' samples/buffer-test.txt', opts)
+  call TermWait(buf, 1000)
+  call StopVimInTerminal(buf)
+  call WaitForAssert({-> assert_true(filereadable('Xbufwrite'))})
+  call assert_equal(['done'], readfile('Xbufwrite'))
+  call delete('Xbufwrite')
+  call delete('Xoutput')
+  call delete('Xvimrc')
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab