Problem: tests: Test_backupskip() may read from $HOME
Solution: Set $HOME to an empty value, use --clean
(D Ben Knoble)
Even though we unset HOME, we can see via scriptnames that user files
are still sourced! One of my installed plugins warns when not compiled
with +python3, so this test has a "press Enter" prompt.
Use `--clean` like most other GetVimProg()'s do to fix it. Some tests
use `system()` instead, but that turns this test into a failure rather
than passing; I'm not sure why other tests don't suffer from this.
To prove to ourselves, we can use code like this:
diff --git i/src/testdir/test_options.vim w/src/testdir/test_options.vim
index a408e20e1..044364a54 100644
--- i/src/testdir/test_options.vim
+++ w/src/testdir/test_options.vim
@@ -1179,6 +1179,7 @@ func Test_backupskip()
" P_NODUP). Run this in a separate instance and write v:errors in a file,
" so that we see what happens on startup.
let after =<< trim [CODE]
+ call writefile([execute('scriptnames')], 'foo')
let bsklist = split(&backupskip, ',')
call assert_equal(uniq(copy(bsklist)), bsklist)
call writefile(['errors:'] + v:errors, 'Xtestout')
@@ -1196,7 +1197,7 @@ func Test_backupskip()
" unset $HOME, so that it won't try to read init files
let saveenv['HOME'] = getenv("HOME")
call setenv('HOME', v:null)
- exe 'silent !' . cmd
+ exe 'silent !' . cmd .. ' --cmd "echo &rtp"'
call assert_equal(['errors:'], readfile('Xtestout'))
" restore environment variables
Here, that causes "foo" to include a bunch of files under ~/.vim. I'm
not sure why this happens, but lets paper over it for the test.
We can also tell that (orthogonal to --clean) setting HOME='' works too.
Let's do that in addition since unsetting HOME isn't quite enough.
closes: vim/vim#200518d9c383aaf
Co-authored-by: D. Ben Knoble <ben.knoble+github@gmail.com>
(cherry picked from commit 0039a13fe4)
Problem: quickfix: can set quickfixtextfunc in restricted/sandbox mode
(tacdm)
Solution: Disallow setting the quickfixtextfunc option from a sandbox
and restricted mode (Yegappan Lakshmanan).
closes: vim/vim#20305cb8510d470
Co-Authored-by: tacdm
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
(cherry picked from commit 1a064abb0a)
Problem: completion: cannot complete user cmd :K with 'ignorecase'
(rendcrx)
Solution: Skip the short-circuit when 'ignorecase' is set
(Yasuhiro Matsumoto)
The set_cmd_index() short-circuit for the :k command treats ":k<X>" as
":k {X}" (mark argument), which makes ":kz<Tab>" never reach the
command-name expansion path. With 'ignorecase' the same prefix on other
letters (":gz<Tab>") completes a user command like :Gz, so the result is
inconsistent. Skip the short-circuit when 'ignorecase' is set; default
behaviour is preserved so the existing :k tests still pass.
fixes: vim/vim#20241closes: vim/vim#20275b54e57ee54
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
(cherry picked from commit dee602e659)
Problem: filetype: some html files are wrongly recognized as htmlangular
Solution: Use the \< atom to anchor ng-template and ng-content to start
of word (truffle)
Prevent false-positive htmlangular detection on words containing
'ng-template' or 'ng-content' as a substring (e.g. 'song-template',
'sing-content'). Anchor both branches with \< to require a word start,
matching the \<DTD\s\+XHTML\s idiom used five lines below.
related: neovim/neovim#39778.
closes: vim/vim#20246354ab1a69e
Co-authored-by: truffle <truffleagent@gmail.com>
(cherry picked from commit f3bb21e71d)
Problem: The four pointer-resolution loops in u_read_undo() lack
an i != j guard, so a header whose uh_next.seq equals
its own uh_seq resolves uh_next.ptr to itself. On
buffer close, u_freeheader() sees uhp->uh_next.ptr !=
NULL and skips updating b_u_oldhead, so u_blockfree()
dereferences the freed header on the next iteration.
The same pattern applies to uh_prev, uh_alt_next and
uh_alt_prev. A crafted .un~ file in the same directory
as a text file can trigger the use-after-free and
subsequent double-free when the buffer is closed.
(Daniel Cervera)
Solution: Add an i != j guard to each of the four resolution
loops, matching the guard already present in the
duplicate-detection loop above.
closes: vim/vim#20168
Supported by AI
4f610f07b7
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 2d5f56c0aa)
Problem: Crash with invalid shellredir/shellpipe value
(bfredl)
Solution: Validate the option and allow only a single "%s".
fixes: vim/vim#20157closes: vim/vim#2015984ae09dd79
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit ffe87d91f7)
Problem: read_compound() in spellfile.c computes the size of the regex
pattern buffer using signed-int arithmetic on the attacker
controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008
and UTF-8 encoding active the multiplication wraps to 27 while
the per-byte loop writes up to ~1B bytes, overflowing the heap.
Reachable when loading a crafted .spl file (e.g. via 'set spell'
after a modeline sets 'spelllang'). The cp/ap/crp allocations
have the same int + 1 overflow class (Daniel Cervera)
Solution: Use type size_t as buffer size and reject values larger than
COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to
the cp/ap/crp allocations.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv9299332917
Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
(cherry picked from commit 0976ce255b)
Problem: When closing gvim with an unsaved unnamed buffer, choosing
"Yes" in the "Save changes?" dialog and then "Cancel" in the
file selection dialog either silently writes the buffer to a
file named "Untitled" (overwriting any existing file with
that name) or discards the buffer altogether
(vibs29, after v9.1.0265).
Solution: In dialog_changed(), if browse_save_fname() leaves the buffer
without a file name, treat it as a cancel and return without
saving. Also stop clearing the modified flag in the restore
path on write failure, so the unsaved changes are kept and
the caller (e.g. gui_shell_closed()) can also cancel the
close. Pre-fill the file dialog with "Untitled" to match
the preceding "Save changes to ..." prompt. Add a test for
the write-failure path (Hirohito Higashi).
fixes: vim/vim#20132closes: vim/vim#20143cf947e7ef0
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
(cherry picked from commit 2bb426ce4a)
Problem: Cannot set 'path' option via modeline (zeertzjq, after v9.2.0435)
Solution: Revert the part that disallows setting 'path' via modeline.
closes: vim/vim#2013788fb739918
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit d1c3d6fbaa)
Problem: [security]: Backticks enclosed shell commands in the 'path'
option value are executed during completion (q1uf3ng).
Solution: Skip path entries containing backticks, add P_SECURE to 'path'
option, so that it cannot be set from a modeline (for symmetry with
the 'cdpath' option)
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
Supported by AI.
190cb3c2b9
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit b06f8b174f)
Problem: When an error line in a file passed to :cfile / :cgetfile is
longer than IOSIZE, qf_parse_file_pfx() copies the tail
into the fixed-size IObuff with STRMOVE(), overflowing the heap buffer.
The same code path can also loop indefinitely because
qf_parse_file_pfx() always returns QF_MULTISCAN when a
tail is present, and qf_init_ext() unconditionally goes
to "restofline" without bounding the tail length (Nabih).
Solution: Remove the STRMOVE() into IObuff. In the QF_MULTISCAN
branch, alias linebuf into the tail directly and update
linelen, requiring strict progress (new length less than
the previous length) before retrying; otherwise ignore
the line.
closes: vim/vim#20126
Supported by AI
77677c33de
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 0e69a38026)
Problem: Integer overflow with "ze" and large 'sidescrolloff'.
Solution: Check for overflow to avoid negative w_leftcol (zeertzjq).
closes: vim/vim#2002633f3965087
(cherry picked from commit 1569a71c8a)
vim-patch:9.2.0362: division by zero with smoothscroll and small windows
Problem: Resizing a smoothscrolled wrapped window to its textoff width
with 'showbreak' can leave wrapped continuation lines with
zero text width. win_lbr_chartabsize() still runs the partial max_head_vcol calculation in
that state and divides by width2, crashing during redraw.
Solution: Skip that partial head calculation when the wrapped
continuation width is zero, matching the other width2 guards
in charset.c (Jaehwang Jung)
closes: vim/vim#20012
AI-assisted: Codex
0e31fb024c
(cherry picked from commit 79a7a4abe1)
Problem: potential buffer underrun when settings statusline like option
(q1uf3ng)
Solution: Validate that p > out before accessing p[-1]
closes: vim/vim#1996191b402f575
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit e0eb967f8a)
Problem: Wrong autoformatting with 'autocomplete'.
Solution: Don't trigger autoformatting when ending autocompletion
without selecting an item (zeertzjq).
fixes: vim/vim#19954closes: vim/vim#19970efbd482116
(cherry picked from commit 65680f59d1)
Problem:
If `'keywordprg'` begins with `:`, `3K` turns the count into an Ex
range. Commands that don't support that then fail. Vim passes the count
as the first arg (see #19436, vim/vim#10745).
Solution:
Pass `[count]` as the first arg for `'keywordprg'`.
(cherry picked from commit 6e95d1ad13)
Problem: spell_read_aff() uses sprintf() into a fixed-size stack buffer
without bounds checking. store_aff_word() uses STRCAT() to
append attacker-controlled strings into newword[MAXWLEN] without
checking remaining space. Both are reachable via :mkspell with
crafted .aff/.dic files (xinyi234)
Solution: Replace sprintf() with vim_snprintf() in spell_read_aff().
Replace STRCAT() with STRNCAT() with explicit remaining-space
calculation in store_aff_word().
closes: vim/vim#1994407faa961a0
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 4f7b6083e5)
Problem: When the terminal is very large, test for 9.2.0285 doesn't
trigger an ASAN error without the fix.
Solution: Use a window with fixed height (zeertzjq)
closes: vim/vim#19924b03970f41f
(cherry picked from commit f8695fc529)
Problem: zip plugin tests may match messages from previous test cases
when checking for warning message.
Solution: Clear messages at the start of these tests (zeertzjq).
closes: vim/vim#19926a1f4259e68
(cherry picked from commit c2d7f6b642)
Problem: runtime(zip): may write using absolute paths
(syndicate)
Solution: Detect this case and abort on Unix, warn in the documentation
about possible issues
46f530e517
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 4aa8969d29)
Problem: :syn sync grouphere may go beyond end of line.
Solution: Start searching for the end of region at the end of match
instead of a possibly invalid position (zeertzjq).
closes: vim/vim#19896b7cffc8434
(cherry picked from commit d7ef77d175)
Problem: tests: test_modeline.vim fails (after v9.2.0276)
Solution: Rewrite the tests to use the existing s:modeline_fails()
function, update documentation (zeertzjq).
8c8772c6b3
(cherry picked from commit 65e2218585)
Problem: test: trailing spaces used in tests
Solution: Rewrite tests to avoid trailing spaces (Paul Ollis).
Some tests currently rely on trailing whitespace at the end of lines,
escaped with '\'. I have demonstrated in another PR, such spaces can be
inadvertently removed and this is difficult to spot.
Note: there are more trailing spaces in a few more test files, see
testdir/test_codestyle.vim. Those are not yet removed.
closes: vim/vim#19838211ceea602
Co-authored-by: Paul Ollis <paul@cleversheep.org>
Problem: In gvim on Windows, a certain problem can occur when the
WM_SETFOCUS event sent after an external command is not
processed immediately.
Solution: After posting WM_SETFOCUS, run the message loop to process it
as quickly as possible (Muraoka Taro).
The problem is that Test_normal11_showcmd may fail when running the
test_normal.vim test. Investigation revealed that the trigger was an
external command executed in the previous test,
Test_mouse_shape_after_failed_change, when two tests were executed
consecutively. In gvim on Windows, a WM_SETFOCUS event will be sent
when an external command finishes executing. This WM_SETFOCUS event is
not processed immediately, but rather by redraw, which is expected to
update showcmd. Because it is queued in typebuf at this time,
clear_showcmd(), which expects typebuf to be empty, cannot update
showcmd.
Also added a test that simulates the above problem.
closes: vim/vim#19167c4a6fa3ead
Co-authored-by: Muraoka Taro <koron.kaoriya@gmail.com>
Problem: unnecessary restrictions for defining dictionary function
names
Solution: Allow defining dict function with bracket key that is not a
valid identifier (thinca)
In Vim script, "function obj.func()" and "function obj['func']()" both
define a dictionary function. However, the bracket form required the
key to match function naming rules (eval_isnamec), so
"function obj['foo-bar']()" failed with E475.
Assigning and calling already work: "let obj['foo-bar'] = obj.func"
and "call obj['foo-bar']()" are valid. Only the definition was
incorrectly restricted.
Skip the identifier check when the name comes from fd_newkey (i.e. the
key was given in bracket notation). Dictionary keys may be any string.
Supported by AI
closes: vim/vim#19833f89662722d
Co-authored-by: thinca <thinca@gmail.com>
Problem: Changing the 'signcolumn' may cause flicker, because it uses
the P_RCLR flag for redrawing (Yggdroot)
Solution: Change 'signcolumn' to use P_RWIN instead of P_RCLR, matching
the behavior of 'number' and 'foldcolumn'
(Yasuhiro Matsumoto).
fixes: vim/vim#19663closes: vim/vim#197134292eea714
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Problem: Option handling for key:value suboptions is limited
Solution: Improve :set+=, :set-= and :set^= for options that use
"key:value" pairs (Hirohito Higashi)
For comma-separated options with P_COLON (e.g., diffopt, listchars,
fillchars), :set += -= ^= now processes each comma-separated item
individually instead of treating the whole value as a single string.
For :set += and :set ^=:
- A "key:value" item where the key already exists with a different value:
the old item is replaced.
- An exact duplicate item is left unchanged.
- A new item is appended (+=) or prepended (^=).
For :set -=:
- A "key:value" or "key:" item removes by key match regardless of value.
- A non-colon item removes by exact match.
This also handles multiple non-colon items (e.g., :set
diffopt-=filler,internal) by processing each item individually, making
the behavior order-independent.
Previously, :set += simply appended the value, causing duplicate keys to
accumulate.
fixes: vim/vim#18495closes: vim/vim#19783e2f4e18437
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Problem: No 'incsearch' highlighting support for :uniq
Solution: Add :uniq support (Hirohito Higashi)
closes: vim/vim#1978048137e4e48
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Problem: runtime(compiler): No compiler plugin for just
Solution: Add a compiler plugin for the just command runner, add a test
(Aditya Malik)
Sets makeprg and a custom errorformat to parse just's multi-line
error output into quickfix entries with file, line, column, and
message. Includes a test.
Reference:
- https://github.com/casey/justcloses: vim/vim#19773e147b635fc
Co-authored-by: Aditya Malik <adityamalik2833@gmail.com>
Problem: "zb" scrolls incorrectly with cursor on fold.
Solution: Set w_botline to the line below the fold (zeertzjq).
related: neovim/neovim#38413
closes: vim/vim#197855a3b75d67b
Problem: Vim may freeze if setcmdline() is called while the wildmenu or
cmdline popup menu is active (rendcrx)
Solution: Cleanup completion state if cmdbuff_replaced flag has been set
(Yasuhiro Matsumoto)
fixes: vim/vim#19742closes: vim/vim#19744332dd22ed4
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Problem: possible crash with winminheight=0
(Emilien Breton)
Solution: Use <= instead of < when checking reserved room in
frame_setheight() to correctly handle the zero-height
boundary case (Hirohito Higashi).
In frame_setheight(), when shrinking the current window and the only
other window has 'winfixheight' with 'winminheight'=0, room_reserved
was not cleared because the condition used '<' instead of '<='.
The freed rows were discarded, leaving fr_height sum less than
topframe fr_height. Subsequent resize operations then computed a
wrong room_cmdline that expanded topframe beyond the screen, causing
a crash.
fixes: vim/vim#19706closes: vim/vim#19712a5d9654620
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
Problem: autocmds that switch windows may cause them to remain with
w_locked set, preventing them from being closed longer than
intended.
Solution: Unset w_locked in the window where it was set (Sean Dewar).
closes: vim/vim#19716bae31c35bb
Also move alist_add_list's ga_grow inside the if block, so it's only called when
check_arglist_locked is OK, like Vim.
I also notice a redundant return at the end of the block; could be useful if
more code is added later, so I'm leaving it.
Problem:
No way to disable progress messages in cmdline message area. If
a third-party plugin handles Progress events + messages, the user may
not want the "redundant" progress displayed in the cmdline message area.
Solution:
Support "progress:c" entry in 'messageopts' option.
Problem:
"Sorry" in a message (1) is noise, and (2) actually reduces the clarity
of the message because the titlecasing of "Sorry" distracts from the
actually important part of the message.
Solution:
Drop "Sorry" from messages.
Problem: termdebug :Break does not support `thread` and `if` arguments
Solution: extend :Break and :Tbreak to accept optional location, thread
{nr}, and if {expr} arguments (Yinzuo Jiang).
closes: vim/vim#196135890ea5397
AI-assisted: Codex
Problem: tests: a few termdebug tests are flaky; test_termdebug_basic()
and test_termdebug_config_types() may fail if there is too
much load
Solution: Set g:test_is_flaky
Only include:
- mark Test_termdebug_basic() as flaky in oldtest termdebug plugin tests
The Test_termdebug_config_types() part does not apply here.
ebb08d5913
Co-authored-by: Christian Brabandt <cb@256bit.org>
AI-assisted: Codex
