Problem: When Nvim exits while connecting to a socket it leads to
stack-buffer-overflow.
Solution: Associate the handle with the Stream and use the Stream's
internal_close_cb to update the "closed" status.
(cherry picked from commit 4ed2e66d2e)
Problem:
Invalid `nvim_create_user_command` calls can leak the
`preview` callback reference after Neovim has taken ownership of it.
1. build with {a,l}san
2. run:
```sh
<path/to/nvim> --headless -u NONE --clean +'lua
for i = 1, 100 do
pcall(vim.api.nvim_create_user_command,
"some very epic stuff" .. i,
{}, -- NOTE: this is INVALID (not a function or string)
{ preview = function() end })
end
vim.cmd("qa!")
' +qa
```
3. see:
```
100 lua references were leaked!
```
Solution:
Clear `preview_luaref` in `err:`.
(cherry picked from commit 393f687503)
Co-authored-by: Barrett Ruth <62671086+barrettruth@users.noreply.github.com>
Problem: `nvim_set_keymap` leaks the `callback` `LuaRef` when the
LHS is too long.
Solution: Make `set_maparg_lhs_rhs` transfer `rhs_lua` to
`MapArguments` up front so the caller always owns the ref.
(cherry picked from commit 58aad59e1c)
Co-authored-by: Barrett Ruth <62671086+barrettruth@users.noreply.github.com>
Problem: Destroying a terminal with pending `TermRequest` events leaks
memory.
Solution: Make `emit_termrequest` the sole owner of its `pending_send`
allocation.
(cherry picked from commit 19ef632dec)
Problem: missing bound-checks
Solution: Add defensive guards against potential buffer overflow
(Yasuhiro Matsumoto)
Add bounds checking and integer overflow guards across multiple files
as a defensive measure. While these code paths are unlikely to be
exploitable in practice, the guards prevent undefined behavior in
edge cases.
- libvterm/vterm.c: use heap tmpbuffer instead of stack buffer in
vsprintf() fallback path
- channel.c: validate len in channel_consume() before mch_memmove()
- spell.c: use long instead of int for addlen to avoid signed overflow
in size_t subtraction
- alloc.c: add SIZE_MAX overflow check in ga_grow_inner() before
itemsize multiplication
- list.c: add overflow check before count * sizeof(listitem_T)
- popupwin.c: add overflow check before width * height allocation
- insexpand.c: add overflow check before compl_num_bests multiplication
- regexp_bt.c: replace sprintf() with vim_snprintf() in regprop()
- spellfile.c: use SIZE_MAX instead of LONG_MAX for allocation overflow
check
closes: vim/vim#199048d23fcb603
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
(cherry picked from commit a4ad469fb1)
Problem:
b98eefd added `!b_p_bl` to `ignore_buf()`, which also
skips bdelete'd buffers since bdelete unsets `b_p_bl`.
Solution:
Check `b_p_initialized` together with `b_p_bl` so that
bdelete'd buffers (which have b_p_initialized=false) are not
filtered out. Keep `b_p_bl` check only in `shada_get_buflist()`.
(cherry picked from commit 496374e951)
Problem: A vim.ui_attach() callback that redraws to show a 'verbose'
regex message during 'incsearch' results in recusive redrawing.
Solution: Check that curwin was redrawn instead of just any window when
determining if 'incsearch' highlighting was cleared.
(cherry picked from commit 61fb88992d)
Problem: When closing floating windows to close a tabpage, if the current
buffer will unload, buffers contained in those floating windows
will too (unexpectedly).
Solution: Don't pass along "free_buf" argument; check 'bufhidden' for
the buffer in the to be closed float.
(cherry picked from commit 5b0ad4a060)
Co-authored-by: luukvbaal <luukvbaal@gmail.com>
Problem: :restart leads to ERR/WRN logging on Windows with --listen.
Solution: Add a log_level flag to vim._with() and use it to suppress
logging from serverstart()/serverstop() during restart.
(cherry picked from commit 208951cbc0)
Problem:
In the default 'titlestring', if the containing directory is the CWD, it renders as "."
Solution:
Add `:p` to the titlestring.
(cherry picked from commit e68e769352)
Problem:
On Windows, :restart cannot immediately reuse the canonical --listen
address because named pipe release is asynchronous.
Solution:
Start the new Nvim server on a temporary address; in the new Nvim,
retry serverstart() with the original ("canonical") address until it
succeeds.
(cherry picked from commit 5891f2f3dc)
Co-authored-by: Sanzhar Kuandyk <92693103+SanzharKuandyk@users.noreply.github.com>
Problem: `:write ++patate foo` doesn't error out, instead it turns on
mkdir_p and uses "atate foo" as the filename. Same with ++edit.
The parser just does strncmp without checking what comes after.
Solution: require the next char after the option name to not be a
letter
(cherry picked from commit 44770bb924)
Problem: Integer overflow with "ze" and large 'sidescrolloff'.
Solution: Check for overflow to avoid negative w_leftcol (zeertzjq).
closes: vim/vim#2002633f3965087
(cherry picked from commit 1569a71c8a)
Problem: ins_compl_stop() sets compl_best_matches = 0, but that's a
pointer, should reset compl_num_bests instead,
find_common_prefix() reads cpt_sources_array[cur_source] without
checking cur_source != -1 which causes an OOB for -1,
find_next_completion_match(): second `if` in the pending loop
should be `else if`. Forward paging only moves one step per call.
Solution: Reset compl_num_bests instead, add a check for cur_source not
equal -1, change if to else if (glepnir)
closes: vim/vim#20000b328686d6a
Co-authored-by: glepnir <glephunter@gmail.com>
(cherry picked from commit 3f9500e75d)
Problem: fg_indexed/bg_indexed were dropped from nvim_get_hl output due
to a wrong short_keys guard. HL_FG_INDEXED also wasn't cleared in
hl_blend_attrs, and HLATTRS_DICT_SIZE was too small.
Solution: Remove the short_keys guard, clear HL_FG_INDEXED in
hl_blend_attrs, bump HLATTRS_DICT_SIZE to 24, and clarify docs that
these flags mean rgb is an approximation of the cterm palette index.
(cherry picked from commit 01861c2f95)
Co-authored-by: glepnir <glephunter@gmail.com>
vim-patch:9.2.0362: division by zero with smoothscroll and small windows
Problem: Resizing a smoothscrolled wrapped window to its textoff width
with 'showbreak' can leave wrapped continuation lines with
zero text width. win_lbr_chartabsize() still runs the partial max_head_vcol calculation in
that state and divides by width2, crashing during redraw.
Solution: Skip that partial head calculation when the wrapped
continuation width is zero, matching the other width2 guards
in charset.c (Jaehwang Jung)
closes: vim/vim#20012
AI-assisted: Codex
0e31fb024c
(cherry picked from commit 79a7a4abe1)
Problem:
win_line() falls into infinite loop when a diff window has top filler
above its first visible buffer line, that first visible buffer line is a
closed fold, and the folded line uses normal non-empty foldtext.
Solution:
Allow flushing pending diff filler rows even when the underlying buffer
line is folded with foldtext.
AI-assisted: Codex
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
(cherry picked from commit f2cc0a249d)
Problem:
`api.nvim_buf_del_mark` already emits a `MarkSet` event with `col` and `line` set to 0. However, `:delmarks` currently emits no events.
Solution:
Change `:delmarks` to emit the same `col==line==0` event.
Problem: Marks are not adjusted unloading a buffer that doesn't exist
on disk. E.g. extmarks are still valid (and will be beyond the
end of the buffer if the buffer is reloaded), even though the
text is lost.
Solution: Adjust marks for a cleared buffer when unloading a buffer that
doesn't exist on disk.
(cherry picked from commit 68f7acaaae)
Since Nvim uses a compositor, redrawing windows won't lead to flicker in
the popup menu, so the pum_visible() checks in move.c can be removed.
(cherry picked from commit 724fccd46f)
Problem: Documentation based on patches is outdated.
Solution: Add changes to documentation in a patch.
853886722c
Trailing space was removed in later patches.
Also fix a few more misplaced error numbers from #8155.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
(cherry picked from commit 39410ef42b)
Problem:
- Choosing a new EXX error code is tedious.
- It's possible to accidentally use an EXX error code for different
purposes.
Solution:
Add a lint check which requires EXX error codes to have a :help tag.
This also avoids duplicates because `make doc` does `:helptags ++t doc`
which fails if duplicates are found.
(cherry picked from commit bc6d946cca)
Problem: e_invalwindow was a static local, inconsistent with other error strings.
Solution: Convert it to EXTERN/INIT style and move it to errors.h.
(cherry picked from commit 92317013b4)
test: lint naming conventions
Problem:
Naming conventions are not automatically checked.
Solution:
Add a check to the doc generator. Eventually we should extract this
somehow, but that will require refactoring the doc generator...
Note: this also checks non-public functions, basically anything that
passes through `gen_eval_files.lua` and `gen_vimdoc.lua`. And that's
a good thing.
Problem:
Several zh_CN translations were marked fuzzy with wrong or placeholder msgstr.
Solution:
Fix fuzzy entries, preserve format specifiers, use full-width punctuation.
(cherry picked from commit e56deecf00)
Problem: Treesitter highlighting regressed on 32-bit builds because ranges that should cover the whole buffer were corrupted when passed into Lua.
Solution: Round-trip those range values through Lua and validate them so treesitter sees the same ranges on 32 and 64-bit builds.
(cherry picked from commit 3838a2579e)
continues d0af4cd909.
This commit renames positional parameters. This is only "cosmetic", but
is intended to make it extra clear which name is preferred, since people
often copy existing code despite the guidelines in `:help dev-naming`.
(cherry picked from commit 71ac4db335)
In 3a4a66017b, 4d3a67cd62, df8d98173c we renamed "buffer" to "buf"
in dict parameters and return-values.
This commit renames positional parameters. This is only "cosmetic", but
is intended to make it extra clear which name is preferred, since people
often copy existing code despite the guidelines in `:help dev-naming`.
(cherry picked from commit d0af4cd909)
Problem: potential buffer underrun when settings statusline like option
(q1uf3ng)
Solution: Validate that p > out before accessing p[-1]
closes: vim/vim#1996191b402f575
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit e0eb967f8a)
Problem: Wrong autoformatting with 'autocomplete'.
Solution: Don't trigger autoformatting when ending autocompletion
without selecting an item (zeertzjq).
fixes: vim/vim#19954closes: vim/vim#19970efbd482116
(cherry picked from commit 65680f59d1)
Problem:
`gf` and `<cfile>` treat `file:/absolute/path` as a literal path and
open `file:/...` instead of the local file.
Solution:
Strip the local `file:` prefix before path resolution in the hyperlink
path code.
(cherry picked from commit e827c3b648)
Problem: Attempting to emit cmdline_block event with NULL cmdbuff after
<C-\><C-N> in Ex-mode.
Solution: Don't emit cmdline_block event when cmdbuff is NULL.
(cherry picked from commit f0f9620b38)
Problem:
- Not obvious which _meta/ are generated and which should be edited
manually.
- The require guard (`error('Cannot require a meta file')`) is not
consistently present in all meta files.
Solution:
- Update headers.
- Add require() guard to all meta files.
- Rename generated meta files with `.gen.lua`.
(cherry picked from commit 65b40e69ac)
Problem:
- Lots of redundant text in options docs for "not allowed in
a modeline", even though we already have a flag that indicates that.
- `deny_in_modelines` is an old vestigial flag only used by 'encoding'
(which never changes).
Solution:
- Generate docs based on the `secure` flag.
- Remove the `deny_in_modelines` flag (`kOptFlagNoML`).
(cherry picked from commit 829e9ec65e)
Co-authored-by: Justin M. Keyes <justinkz@gmail.com>
Problem: win_linetabsize() includes wrap overhead from 'linebreak'
based on current window width, but the result sizes the window,
causing a feedback loop.
Solution: Temporarily set w_view_width to Columns before measuring.
(cherry picked from commit fcdb148437)
Problem: hlgroup2dict passes &ns_id to ns_get_hl twice. The first call
(link=true) sets *ns_hl = 0 when link_global is set, so the second call
and the sg_cleared guard both see ns_id == 0 and bail out. The group is
silently dropped from the result.
Solution: use a temporary copy of ns_id for each ns_get_hl call so the
original value is preserved.
(cherry picked from commit 49086862fc)
