From a416494e648b18a41fd5d1cdcf04ef0e05c15926 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sat, 28 Feb 2026 09:22:41 +0800 Subject: [PATCH] vim-patch:9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl() (#38102) Problem: A stack-buffer-overflow occurs when rendering a statusline with a multi-byte fill character on a very wide terminal. The size check in build_stl_str_hl() uses the cell width rather than the byte length, allowing the subsequent fill loop to write beyond the 4096-byte MAXPATHL buffer (ehdgks0627, un3xploitable). Solution: Update the size check to account for the byte length of the fill character (using MB_CHAR2LEN). Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf https://github.com/vim/vim/commit/4e5b9e31cb7484ad156fba995fdce3c9b075b5fd Co-authored-by: Christian Brabandt --- src/nvim/statusline.c | 2 +- test/unit/statusline_spec.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nvim/statusline.c b/src/nvim/statusline.c index 8bf783020b..005a52b675 100644 --- a/src/nvim/statusline.c +++ b/src/nvim/statusline.c @@ -2034,7 +2034,7 @@ stcsign: // add characters at the separate marker (if there is one) to // fill up the available space. } else if (width < maxwidth - && outputlen + (size_t)(maxwidth - width) + 1 < outlen) { + && outputlen + (size_t)(maxwidth - width) * schar_len(fillchar) + 1 < outlen) { // Find how many separators there are, which we will use when // figuring out how many groups there are. int num_separators = 0; diff --git a/test/unit/statusline_spec.lua b/test/unit/statusline_spec.lua index a97a4f41d7..1388063a92 100644 --- a/test/unit/statusline_spec.lua +++ b/test/unit/statusline_spec.lua @@ -12,7 +12,7 @@ local stl = t.cimport('./src/nvim/statusline.h') local grid = t.cimport('./src/nvim/grid.h') describe('build_stl_str_hl', function() - local buffer_byte_size = 100 + local buffer_byte_size = 120 local STL_INITIAL_ITEMS = 20 local output_buffer = ''