Problem: [security]: invalid cursor position may cause a crash
(after v9.1.0038)
Solution: Set cursor to the last character in a line, if it would
otherwise point to beyond the line; no tests added, as it
is unclear how to reproduce this.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh396fd1ec29
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 6f167fcae9)
Problem: The matchparen plugin is slow on a long line.
Solution: Don't use a regexp to get char at and before cursor.
(zeertzjq)
Example:
```vim
call setline(1, repeat(' foobar', 100000))
runtime plugin/matchparen.vim
normal! $hhhhhhhh
```
closes: vim/vim#1556881e7513c86
(cherry picked from commit cf44121f7f)
fix(terminal): interrupt/got_int hangs terminal (#30056)
Upon `terminal_enter`, `mapped_ctrl_c` is set in order to avoid `CTRL-C`
interrupts (which is proxied to the terminal process instead), `os_inchar`
will then test `mapped_ctrl_c` against `State` and set `ctrl_c_interrupts=false`
which prevents `process_ctrl_c` from setting `got_int=true` in a terminal
state.
However, if `got_int` is set outside of `process_ctrl_c`, e.g. via
`interrupt()`, this will hang the neovim process as `terminal_execute` will
enter an endless loop as `got_int` will never be cleared causing `safe_vgetc`
to always return `Ctrl_C`.
A minimal example reproducing this bug:
```vim
:autocmd TermEnter * call timer_start(500, {-> interrupt()})
:terminal
:startinsert
```
To fix, we make sure `got_int` is cleared inside `terminal_execute` when
it detects `Ctrl_C`.
Closes#20726
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: ibhagwan <59988195+ibhagwan@users.noreply.github.com>
Problem:
The windows installer did not have the AllUsers property which leads to
the installer being misidentified as per user installer.
Currently the installer already requires administrative privileges and
installs into the system-wide ProgramFiles directory, but the start menu
entry and uninstaller registration are created only for the current user.
Issue: #29885https://cmake.org/cmake/help/latest/cpack_gen/wix.html#variable:CPACK_WIX_INSTALL_SCOPE
Solution:
With setting CPACK_WIX_INSTALL_SCOPE to "perMachine" the generated msi
installer includes the Property ALLUSERS=1.
Additionally the start menu entries and uninstaller registration will be
created for all users.
(cherry picked from commit 88f07d6ca4)
Problem: Some other options reset curswant unnecessarily when set.
(Andrew Haust)
Solution: Don't reset curswant when setting 'comments', 'commentstring'
or 'define' (zeertzjq)
fixes: vim/vim#15462closes: vim/vim#15467b026a293b1
(cherry picked from commit 0ec43cb4b5)
Problem: When preparing the parameters for a code actions LSP request,
the code set `context.diagnostics` when processing the first LSP client,
and then reused those `context.diagnostics` for subsequent LSP clients.
This meant that the second and next LSP clients got diagnostics that
did not originate from them, and they did not get the diagnostics that
they sent.
Solution: Avoid setting `context.diagnostics` (which is referenced by
all clients). Instead, set `params.context.diagnostics` directly, which
is specific to a single client.
Fixes#30001
Caused by #29501
(cherry picked from commit 7031949be0)
When the cursor is moved we terminate any active OSC 8 sequences to
prevent the sequence from inadvertently spanning regions it is not meant
to span. However, if we do not also reset the TUI's active attr id
(print_attr_id) then the TUI does not "know" that it's current attribute
set has changed. When cursor_goto is called to wrap a line, the TUI does
not recompute the attributes so the OSC 8 sequence is not restarted
again.
When we terminate an OSC 8 sequence before moving the cursor, also reset
the active attr id so that the attributes are recomputed for URLs.
(cherry picked from commit f32557ca67)
Problem: [security] double-free in dialog_changed()
(SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
than the b_ffname pointer. Don't try to free b_fname,
set it to NULL instead.
fixes: vim/vim#15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2fb29f4abcd4
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 6967c08840)
- common_function() has always been in evalfunc.c in Vim
- return_register() has always been in evalfunc.c in Vim
- get_user_input() was moved to ex_getln.c in Vim 8.1.1957
- tv_get_lnum_buf() was moved to typval.c in Vim 8.2.0847
(cherry picked from commit 383f693472)
Problem:
If there are errors in the last line of a buffer, something like `Gdk` or
`G2k3J` will produce an error (at least with `lua_ls`):
Error executing vim.schedule lua callback:
.../neovim/share/nvim/runtime/lua/vim/diagnostic.lua:1446: Invalid 'line': out of range
Solution:
Only set extmarks if the target buffer line still exists
(cherry picked from commit e5e81262af)
`buf.code_action` always included diagnostics on a given line from all
clients. Servers should only receive diagnostics they published, and in
the exact same format they sent it.
Should fix https://github.com/neovim/neovim/issues/29500
(cherry picked from commit 720b309c78)
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr48a0bbe7b8a
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 6af359ef4c)
Problem: [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
list
function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.
So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer
closes: vim/vim#136520f28791b21
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit a4bec30b7b)
Problem: [security]: use-after-free in exec_instructions()
Solution: get tv pointer again
[security]: use-after-free in exec_instructions()
exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.
closes: vim/vim#136215dd41d4b63
Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 9f2d793068)
Problem: E1510 may happen when formatting a message
(after 9.1.0181).
Solution: Only give E1510 when using typval. (zeertzjq)
closes: vim/vim#153910dff31576a
(cherry picked from commit d131c48c82)
Fix the following two issues:
- pyenv root detection issue
When `PYENV_ROOT` environment variable is not set, neovim will detect
pyenv's root via `pyenv root` command, but which will be always fail
because `vim.fn.system()` returns result with additional `\n`. Using
`vim.system` instead prevents this problem. to trim it before check
whether it is exists
- python executable path detection issue
Filter unrelated `python-config` in cases where multiple python versions
are installed, e.g. `python-config`, `python3.10-config`,
`python3.11-config` etc.
(cherry picked from commit b4b4cf46a7)