From fadf5fc8dbf936c22d0905f4e29577b490382b8f Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Thu, 19 Feb 2026 08:16:11 +0800
Subject: [PATCH] vim-patch:9.2.0024: Reading files with very long lines
 crashes with a segfault

Problem:  Reading files with lines approaching MAXCOL length crashes
          with segfault due to colnr_T overflow.
Solution: The split check 'linerest >= MAXCOL' fired too late because
          linerest could grow by up to 'size' bytes before the next
          check. Change threshold to 'linerest >= MAXCOL - size' to
          ensure the line passed to ml_append() stays within colnr_T
          range.

Note: supported by AI claude

fixes:   vim/vim#17935
closes:  vim/vim#18953
closes:  vim/vim#19332

https://github.com/vim/vim/commit/6cc291da063e7d9a74a6337d6a80af2b3bcbb5a9

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/fileio.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/nvim/fileio.c b/src/nvim/fileio.c
index 9389d866d3..f4217c5e60 100644
--- a/src/nvim/fileio.c
+++ b/src/nvim/fileio.c
@@ -892,7 +892,12 @@ retry:
       }
 
       // Protect against the argument of lalloc() going negative.
-      if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL) {
+      // Also split lines that are too long for colnr_T.  After this check
+      // passes, we read up to 'size' more bytes.  We must ensure that even
+      // after that read, the line length won't exceed MAXCOL - 1 (because
+      // we add 1 for the NUL when casting to colnr_T).  If this check fires,
+      // we insert a synthetic newline immediately, so linerest doesn't grow.
+      if (size < 0 || size + linerest + 1 < 0 || linerest >= MAXCOL - size) {
         split++;
         *ptr = NL;  // split line by inserting a NL
         size = 1;