vim-patch:9.2.0024: Reading files with very long lines crashes with a segfault

Problem: Reading files with lines approaching MAXCOL length crashes with segfault due to colnr_T overflow. Solution: The split check 'linerest >= MAXCOL' fired too late because linerest could grow by up to 'size' bytes before the next check. Change threshold to 'linerest >= MAXCOL - size' to ensure the line passed to ml_append() stays within colnr_T range. Note: supported by AI claude fixes: vim/vim#17935 closes: vim/vim#18953 closes: vim/vim#19332 6cc291da06 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-02-20 17:29:54 +10:00 · 2026-02-19 08:16:11 +08:00
parent 134782b99e
commit fadf5fc8db
1 changed files with 6 additions and 1 deletions
--- a/src/nvim/fileio.c
+++ b/src/nvim/fileio.c
@@ -892,7 +892,12 @@ retry:
      }

      // Protect against the argument of lalloc() going negative.
-      if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL) {
+      // Also split lines that are too long for colnr_T.  After this check
+      // passes, we read up to 'size' more bytes.  We must ensure that even
+      // after that read, the line length won't exceed MAXCOL - 1 (because
+      // we add 1 for the NUL when casting to colnr_T).  If this check fires,
+      // we insert a synthetic newline immediately, so linerest doesn't grow.
+      if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size) {
        split++;
        *ptr = NL;  // split line by inserting a NL
        size = 1;