Problem: memory leak in eval_dict()
Solution: Do not return but goto failret (Huihui Huang).
closes: #19531
Signed-off-by: Huihui Huang <625173@qq.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: A stack-buffer-overflow occurs when rendering a statusline
with a multi-byte fill character on a very wide terminal.
The size check in build_stl_str_hl() uses the cell width
rather than the byte length, allowing the subsequent fill
loop to write beyond the 4096-byte MAXPATHL buffer
(ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
the fill character (using MB_CHAR2LEN).
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: memline: a crafted swap files with bogus pe_page_count/pe_bnum
values could cause a multi-GB allocation via mf_get(), and
invalid pe_old_lnum/pe_line_count values could cause a SEGV
when passed to readfile() (ehdgks0627, un3xploitable)
Solution: Add bounds checks on pe_page_count and pe_bnum against
mf_blocknr_max before descending into the block tree, and
validate pe_old_lnum >= 1 and pe_line_count > 0 before calling
readfile().
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: When processing terminal output with many combining characters
from supplementary planes (4-byte UTF-8), a heap-buffer
overflow occurs. Additionally, the loop iterating over
cell characters can read past the end of the vterm array
(ehdgks0627, un3xploitable).
Solution: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure
sufficient space. Add a boundary check to the character
loop to prevent index out-of-bounds access.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: When parsing a malformed Emacs-style tags file, a 1-byte
heap-buffer-underflow read occurs if the 0x7f delimiter
appears at the very beginning of a line. This happens
because the code attempts to scan backward for a tag
name from the delimiter without checking if space exists.
(ehdgks0627, un3xploitable)
Solution: Add a check to ensure the delimiter (p_7f) is not at the
start of the buffer (lbuf) before attempting to isolate
the tag name.
GitHub Advisory:
https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: Insufficient validation of hostname and port in
netrw URIs allows command injection via shell metacharacters
(ehdgks0627, un3xploitable).
Solution: Implement stricter RFC1123 hostname and IP validation.
Use shellescape() for the provided hostname and port.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-m3xh-9434-g336
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: inside_block() always checks the flags of the top-most stack
entry instead of the current loop index.
Solution: Use the loop index 'i' to check all levels of the condition
stack (Weixie Cui).
closes: #19524
Signed-off-by: Weixie Cui <cuiweixie@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: tests: various tests leave swapfiles around
Solution: close open buffers using :bw! instead of :close!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Patch 9.2.0033 (#19260) introduced a dedicated `env` filetype for
.env files, which were previously detected as `sh`. This left env
files without `commentstring`, `comments`, or `formatoptions` since
no ftplugin was added alongside the new filetype.
Add runtime/ftplugin/env.vim to set these options, matching the
behavior that .env files had when they used the `sh` filetype.
closes: #19522
Signed-off-by: snelling-a <72226000+snelling-a@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: The length passed to add_attr_and_value for " ctermfont=" is
incorrect. In highlight_set_font(), sg_font_name is freed and
updated in two separate branches, leading to redundant code.
Solution: Correct the length parameter in hlg_add_or_update().
Refactor highlight_set_font() to update the font name string
only once after a successful change is detected.
closes: #19512
Signed-off-by: glepnir <glephunter@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Inefficient use of list_append_string()
Solution: Pass string length to list_append_string() where it is known
(John Marriott).
closes: #19491
Signed-off-by: John Marriott <basilisk@internode.on.net>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: memory leak in invoke_sync_listeners()
Solution: Free the recorded_changes on early return
(Huihui Huang).
closes: #19516
Signed-off-by: Huihui Huang <625173@qq.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: popup: opacity feature causes flickering
(after v9.2.0016)
Solution: Only skip the mask and enable the opacity context if
w_popup_blend is greater than 0 (Hirohito Higashi).
fixes: #19510
fixes: #19499closes: #19515
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: memory leak in type_name_list_or_dict()
Solution: Free the variable member_free on early returns (Huihui Huang).
closes: #19513
Signed-off-by: Huihui Huang <625173@qq.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Using the wrong field with DAP channel mode
(after v9.2.0060)
Solution: Use request_seq instead of seq when handing DAP response
(Foxe Chen).
closes: #19511
Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Not possible to know when a session will be loaded.
Solution: Add the SessionLoadPre autocommand (Colin Kennedy).
fixes: #19084closes: #19306
Signed-off-by: Colin Kennedy <colinvfx@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: No support for the DAP channel mode
Solution: Add native channel support for the debug-adapter-protocol
(Foxe Chen)
closes: #19432
Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Compile error in did_set_previewpopup() when quickfix
feature is not included (John Marriott, after v9.2.0051)
Solution: Add ifdef FEAT_QUICKFIX (John Marriott)
related: #18873
Signed-off-by: John Marriott <basilisk@internode.on.net>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: eval_addblob() is inefficient
Solution: Replace per-byte ga_append() loop with a single ga_grow() and
mch_memmove() for each source blob. This eliminates N grow
checks and function call overhead for blob concatenation
(Yasuhiro Matsumoto).
closes: #19494
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Vims list concatenation is inefficient
Solution: Use a single allocation of len1 + len2 using
list_alloc_with_items() (Yasuhiro Matsumoto).
Replace list_copy() + list_extend() (N+1 individual mallocs) with a
single list_alloc_with_items(len1+len2) call. This reduces the number
of memory allocations from O(N) to O(1) for the list '+' operator.
closes: #19495
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Running gvim with a tiny build under a Wayland compositor
hides the bottom half of the command line
(dezza, after v9.1.1585).
Solution: When Wayland display protocol support is not compiled in
(HAVE_WAYLAND not defined), force the X11 GDK backend to avoid
display issues. This restores the gdk_set_allowed_backends("x11")
call that was removed by patch 9.1.1585, but only for builds
without Wayland support (e.g. tiny builds, see patch 9.1.1565)
(Hirohito Higashi)
fixes: #19483closes: #19504
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: The 'previewpopup' option lacks several customization values
that 'completepopup' supports, such as borders, shadows,
and UI handles.
Solution: Add support for "border", "borderhighlight", "close",
"resize", and "shadow" to 'previewpopup' (Arkissa)
closes: #18873
Signed-off-by: Arkissa <mrarkssac@gmail.com>
Signed-off-by: Girish Palya <girishji@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: In gvim on Windows, a certain problem can occur when the
WM_SETFOCUS event sent after an external command is not
processed immediately.
Solution: After posting WM_SETFOCUS, run the message loop to process it
as quickly as possible (Muraoka Taro).
The problem is that Test_normal11_showcmd may fail when running the
test_normal.vim test. Investigation revealed that the trigger was an
external command executed in the previous test,
Test_mouse_shape_after_failed_change, when two tests were executed
consecutively. In gvim on Windows, a WM_SETFOCUS event will be sent
when an external command finishes executing. This WM_SETFOCUS event is
not processed immediately, but rather by redraw, which is expected to
update showcmd. Because it is queued in typebuf at this time,
clear_showcmd(), which expects typebuf to be empty, cannot update
showcmd.
Also added a test that simulates the above problem.
closes: #19167
Signed-off-by: Muraoka Taro <koron.kaoriya@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Vim9: typename() returns wrong type for lists/dicts/tuples
with shared references (Mao-Yining).
Solution: Reset CopyID after processing the item so it can be
re-inspected if encountered again via a different reference
(Hirohito Higashi).
fixes: #19490closes: #19492
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: MS-Windows: ConPTY not yet preferred
Solution: Mark ConPTY as stable starting with Windows 11 (build 22000).
Vim will now prefer ConPTY over winpty on these systems.
fixes: #19033closes: #19037
Signed-off-by: bennyyip <yebenmy@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Wayland: still performance issues
(lilydjwg, after v9.2.0010)
Solution: Revert another part of Patch v9.2.0010
(Christoffer Aasted)
Revert "perf(gtk-wayland): avoid early redraws; compositor does redraw"
fixes: #19471
fixes: #19481closes: #19482
Signed-off-by: Christoffer Aasted <dezzadk@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
- Generate once (and inline) all alphabetical mark names.
- Allocate all markable "setpos" lists in advance.
- Continue tolerating redundant "setpos" calls that reset
mark "`" for motions within a line or motions between
paired lines (i.e. the lines for which mark "`" is made
reciprocal) rather than making "getpos" calls that check
the position of mark "`" before conditionally changing it
with "setpos" since checking a mark position is slower
than setting it according to profiling samples.
- Observe sparing use of empty lines.
closes: #19476
Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: crypt: Crash when reading an encrypted UTF-8 file.
This happens because readfile() does not account for leftover
conversion bytes (conv_restlen) when reallocating and moving
the buffer after decryption (smss2022).
Solution: Include conv_restlen in the offset calculations and memmove
operations within readfile() (Foxe Chen).
fixes: #19425closes: #19453
Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Not always using GA_CONCAT_LITERAL with string literals.
(after: v9.2.0031)
Solution: Use the GA_CONCAT_LITERAL, instead of ga_concat_len.
(John Marriott)
closes: #19468
Signed-off-by: John Marriott <basilisk@internode.on.net>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: In screen_line(), there is a potential integer underflow when
accessing ScreenAttrs[off_to - 1] if off_to is zero.
(Coverity CID 1681430, after v9.2.0017)
Solution: Add a check to ensure off_to > 0 before accessing the
previous attribute index.
related: #19272
closes: #19479
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Wayland: Not using Boolean type (after v9.2.0010)
Solution: Use bool type instead of int (Hirohito Higashi).
closes: #19473
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
