patch 9.2.0078: [security]: stack-buffer-overflow in build_stl_str_hl()

chrisbra · chrisbra · commit 4e5b9e31cb74 · 2026-02-27T21:09:50.000Z
Problem: A stack-buffer-overflow occurs when rendering a statusline with a multi-byte fill character on a very wide terminal. The size check in build_stl_str_hl() uses the cell width rather than the byte length, allowing the subsequent fill loop to write beyond the 4096-byte MAXPATHL buffer (ehdgks0627, un3xploitable). Solution: Update the size check to account for the byte length of the fill character (using MB_CHAR2LEN). Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-gmqx-prf2-8mwf Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/buffer.c b/src/buffer.c
@@ -5296,7 +5296,8 @@ build_stl_str_hl(
 	}
 	width = maxwidth;
     }
-    else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)
+    else if (width < maxwidth &&
+	    outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)
     {
 	// Find how many separators there are, which we will use when
 	// figuring out how many groups there are.
diff --git a/src/version.c b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    78,
 /**/
     77,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -5296,7 +5296,8 @@ build_stl_str_hl(`
`5296`	`5296`	`}`
`5297`	`5297`	`width = maxwidth;`
`5298`	`5298`	`}`
`5299`		`- else if (width < maxwidth && outputlen + maxwidth - width + 1 < outlen)`
	`5299`	`+ else if (width < maxwidth &&`
	`5300`	`+ outputlen + (maxwidth - width) * MB_CHAR2LEN(fillchar) + 1 < outlen)`
`5300`	`5301`	`{`
`5301`	`5302`	`// Find how many separators there are, which we will use when`
`5302`	`5303`	`// figuring out how many groups there are.`