fix(win32): prevent typeahead buffer overflow during mouse drag#19851
Open
mattn wants to merge 1 commit intovim:masterfrom
Open
fix(win32): prevent typeahead buffer overflow during mouse drag#19851mattn wants to merge 1 commit intovim:masterfrom
mattn wants to merge 1 commit intovim:masterfrom
Conversation
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per iteration, but a mouse event writes up to 7 bytes (3 header + 4 coordinates) and a scroll event with modifiers writes up to 10 bytes (3 modifier + 3 scroll + 4 coordinates). During fast mouse dragging, 3+ events could queue up and overflow the 20-byte buffer, corrupting adjacent static variables and causing garbage bytes (including Ctrl-Z) to be fed into the input stream, which triggered nv_suspend/ex_stop. Change the guard from 5 to 10 to account for the worst case.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The typeahead buffer guard in mch_inchar() only reserved 5 bytes per loop iteration, but a mouse event writes up to 7 bytes (3 header + 4 coordinates) and a scroll event with modifiers writes up to 10 bytes. When dragging the status line quickly on Windows console, 3+ mouse events could queue up in a single loop pass and overflow the 20-byte static buffer, corrupting adjacent memory. This caused garbage bytes to be fed into the input stream, triggering unintended commands such as Ctrl-Z (suspend).
The bug has existed since Vim 7.0001 but was not visible on the legacy console where ReadConsole properly skipped MOUSE_EVENT records. With ConPTY (Windows Terminal), the corruption becomes visible.
Change the guard from 5 to 10 to match the actual worst-case write size.