Problem: Using a composing character as the end of a range inside a
collection may corrupt the NFA postfix stack
(Nathan Mills, after v9.1.0011)
Solution: When a character is used as the endpoint of a range, do not emit
its composing characters separately. Range handling only uses
the base codepoint.
supported by AI
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r36d6e87542
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit e5667b9c15)
Problem: Calling nvim_set_hl() with url= crashes because it tries to
free arena-owned string memory.
Solution: Remove the bad free and return a validation error instead.
(cherry picked from commit d19dc6339d)
Hyphenated language names are silently dropped when used as injections
(see #38132).
This combines the normalization of language aliases into `resolve_lang`,
and also adds the normalization of hyphens to underscores, which allows
for handling of injected language tags with hyphens in their names.
Fixes#38132.
(cherry picked from commit 01817eb6f3)
Problem: memline: a crafted swap files with bogus pe_page_count/pe_bnum
values could cause a multi-GB allocation via mf_get(), and
invalid pe_old_lnum/pe_line_count values could cause a SEGV
when passed to readfile() (ehdgks0627, un3xploitable)
Solution: Add bounds checks on pe_page_count and pe_bnum against
mf_blocknr_max before descending into the block tree, and
validate pe_old_lnum >= 1 and pe_line_count > 0 before calling
readfile().
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p65c1a143c3
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 7e8bdd348c)
Problem: A stack-buffer-overflow occurs when rendering a statusline
with a multi-byte fill character on a very wide terminal.
The size check in build_stl_str_hl() uses the cell width
rather than the byte length, allowing the subsequent fill
loop to write beyond the 4096-byte MAXPATHL buffer
(ehdgks0627, un3xploitable).
Solution: Update the size check to account for the byte length of
the fill character (using MB_CHAR2LEN).
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf4e5b9e31cb
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: matchadd() conceal may use unrelated syntax cchar.
Solution: Only use syntax cchar when syntax_flags has HL_CONCEAL
(zeertzjq).
closes: vim/vim#19459d01f234ec1
(cherry picked from commit 785ac9f228)
After #27620 flags.timeout is no longer used as the minimal timeout for
"intermediate", but the default minimal timeout shouldn't be too small.
(cherry picked from commit d0c699ec7b)
Problem: Setting 'winhighlight' doesn't after setting global namespace
using nvim_win_set_hl_ns().
Solution: Check if using another namespace when setting 'winhighlight'
instead of disabling 'winhighlight' in nvim_win_set_hl_ns().
(cherry picked from commit f8d59cfab9)
Problem: Tests for deprecated highlight API were mixed with current API tests.
Solution: Move them to deprecated_spec.lua and update highlight_spec.lua to use nvim_get_hl.
(cherry picked from commit 31c45f1aa4)
Problem: Crash on failed sockconnect() if a new connection is accepted
while polling for uv events.
Solution: Don't use channel_destroy_early().
Also test "tcp" mode failure properly.
(cherry picked from commit 64ce5382bd)
Problem:
On Windows, writing to a pipe doesn't work if the pipe isn't connected
yet. This causes an RPC request to a session newly created by connect()
to hang, as it's waiting for a response to a request that never reaches
the server.
Solution:
Wait for uv.pipe_connect() callback to be called when using connect().
Sometimes the scheduled :qall can arrive too late, so that EOF isn't
received in the same uv_run() call as the response.
(cherry picked from commit a9454f8511)
Problem: Page scrolling in Insert mode beeps (after 9.1.0211).
Solution: Fix incorrect return value of pagescroll(). Also invert the
return value of scroll_with_sms() to be less confusing and
match comments (zeertzjq).
fixes: vim/vim#19326closes: vim/vim#19327a8ce914db1
(cherry picked from commit bdd886622d)
Problem: :tab sbuffer may close old tabpage if BufLeave autocommand
splits window (after 9.1.0143).
Solution: Only close other windows if the buffer will be unloaded
(zeertzjq).
related: neovim/neovim#37749closes: vim/vim#193526da9f757c4
(cherry picked from commit e704529909)
Problem: windows may scroll horizontally upon resize using the old terminal
size, which may be unnecessary and cause the content to be partially out-of-view.
Solution: reset the horizontal scroll after resizing.
Adjust expected highlights, as commit e946951f6a isn't backported.
(cherry picked from commit ba6440c106)
Problem: Another case of buffer overflow with 'helpfile'.
Solution: Leave room for "tags" in the buffer (zeertzjq).
closes: vim/vim#1934021d591fb12
(cherry picked from commit 15061d322d)
Problem:
Calling os_chdir() to change the child processes' CWD may cause some
unnecessary UI events to be buffered. These UI events don't go anywhere
as execvp() is called before flushing the UI buffer.
Solution:
Use uv_chdir() instead of os_chdir(). Also fix getting error string
incorrectly. Add test for the current behavior.
(cherry picked from commit 6291256868)
Problem: tests: Test_language_cmd fails on OpenBSD because the test
uses an invalid locale name and expects the command to produce
an error. OpenBSD accepts (almost) any locale name as valid by
design, so the :lang command succeeds and the test fails.
Solution: Slightly update the "bad" locale name to make it something
that OpenBSD considers invalid by adding a dot (but not ending
with ".UTF-8"). Maintain the original two underscores in the
name because that ensures Windows will also see it as invalid
(Kevin Goodsell).
closes: vim/vim#19280371583642a
(cherry picked from commit 5e1a3df5ae)
Problem: Heap UAF if a terminal buffer is deleted during TermRequest in
Normal mode.
Solution: Increment terminal refcount before triggering TermRequest, and
destroy the terminal if the buffer is closed during that.
(cherry picked from commit b40880f88f)
Problem: Cursor visibility test may fail if the :sleep lasts too long.
Solution: Wait for the TermLeave autocommand to finish.
(cherry picked from commit b95e0a8d20)
Problem:
Two cases lsp.enable() won't work in the first FileType event
1. lsp.enable luals inside FileType or ftplugin/lua.lua, then:
```
nvim a.lua
```
2. lsp.enable luals inside FileType or ftplugin/lua.lua, then:
```
nvim -> :edit a.lua -> :mksession! | restart +qa! so Session.vim
```
Solution:
Currently `v:vim_did_enter` is used to detected two cases:
1. "maunally enabled" (lsp.enable() or `:lsp enable`)
2. "inside FileType event"
To detect 2. correctly we use did_filetype().
(cherry picked from commit fd45bc8cab)
Problem: Not enough tests for using plain_vgetc().
Solution: Add tests for using plain_vgetc() during various commands.
(zeertzjq)
closes: vim/vim#192362b6bdbc697
(cherry picked from commit e0b724de09)
Problem: Cmdline history not updated when mapping both <Up> and <CR>.
Solution: Consider the command typed when in Cmdline mode and there is
no pending input (zeertzjq).
Although the existing behavior technically does match documentation, the
"completely come from mappings" part is a bit ambiguous, because one may
argue that the command doesn't completely come from mappings as long as
the user has typed a key in Cmdline mode. I'm not entirely sure if this
change will cause problems, but it seems unlikely.
fixes: vim/vim#2771
related: neovim/neovim#36256closes: vim/vim#1860797b6e8b424
(cherry picked from commit 2407833ba1)
Problem: :wqall! doesn't quit when using :quit in BufWritePost
(after 8.0.1190).
Solution: Restore old value of "exiting" when calling not_exiting()
instead of always resetting it to FALSE (zeertzjq).
related: vim/vim#2205
closes: vim/vim#19212e803ad1c56
Problem:
Creating an autocommand which executes `:bwipe` on the Syntax event
causes a heap-use-after-free.
Solution: set BF_SYN_SET flag before applying autocommands
(cherry picked from commit f36dd7557a)
When width1 and width2 are negative the assertion may fail. It seems
that adding a negative value to w_curswant won't cause any problems, so
just change the assertion.
(cherry picked from commit 41068c77aa)
Problem: nvim_parse_expression null pointer dereference with unmatched ]
followed by a node.
Solution: if ast_stack was empty, set new_top_node_p to top of the stack after
pushing the list literal node; similar to what's done for curlies.
This bug was originally found by a Matrix user, but I couldn't remember how to
trigger it... Ran into the other crash while finding a repro. :P
(cherry picked from commit a5e5ec8910)
Problem: nvim_parse_expression null pointer dereference when parsing an
identifier followed by { with "highlight" parameter set to false.
Solution: only set opening_hl_idx if pstate->colors is not NULL.
Not added to parser_tests.lua as that uses highlight = true.
(cherry picked from commit 5226801be2)
Problem: Crash when using :tabonly in BufUnload.
Solution: Set curbuf when setting curwin->w_buffer. Don't wipe out a
buffer if there are no other buffers. Don't decrement
b_nwindows if it was 0 before buf_freeall() (zeertzjq).
fixes: vim/vim#19088#issuecomment-3710172769
closes: vim/vim#19186fa64f92f6a
(cherry picked from commit eb5a7cc0dd)
This test is a copy of Test_bufunload_all() and requires too much
additional cleanup for the Windows log message.
(cherry picked from commit 8754118213)
Problem: memory leak when not evaluating (just parsing) invalid literal
dict.
Solution: Always clear the key's typval (Sean Dewar)
Though "check_typval_is_value(&tv) == FAIL && !evaluate" is maybe never
true, also always clear tvs if check_typval_is_value fails; at worst
this would be a no-op as their initial types are VAR_UNKNOWN.
closes: vim/vim#19178b10a3e1a20
check_typval_is_value change is for Vim9 script. (from 9.0.2163)
N/A patch:
vim-patch:9.0.2163: Vim9: type can be assigned to list/dict
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
(cherry picked from commit ba1d50fdc3)
Problem: nvim_get_option_value with "filetype" set can crash if autocommands
open the dummy buffer in more windows, or if &bufhidden == "wipe".
Solution: Attempt to close all dummy buffer windows before wiping. Promote the
dummy buffer to a normal buffer if that fails.
(cherry picked from commit 7e2e116343)
Problem: When the "filetype" key is set for nvim_get_option_value, autocommands
can crash Nvim by prematurely wiping the dummy buffer, or cause options intended
for it to instead be set for unrelated buffers if switched during OptionSet.
Solution: Don't crash. Also quash side-effects from setting the buffer options.
(cherry picked from commit 3cb462a960)
This fixes a regression from cf6f60ce4d
(possibly), as before that commit a frame is popped from the call stack
immediately after its response is received.
Also fix leaking the allocated error messages.
(cherry picked from commit 39d8aa0a1a)
