commit 89dc889c3d07c7e9f0632243967cd8ae8e53789c
parent 43f7434bd5fa5d13a3aefe4bfaea2973bae7dda2
Author: zeertzjq <zeertzjq@outlook.com>
Date: Thu, 2 Oct 2025 08:26:44 +0800
Merge pull request #35978 from zeertzjq/vim-9.1.0689
vim-patch:9.1.{0689,0695,0698}
Diffstat:
3 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/nvim/search.c b/src/nvim/search.c
@@ -1282,9 +1282,10 @@ int do_search(oparg_T *oap, int dirc, int search_delim, char *pat, size_t patlen
// it would be blanked out again very soon. Show it on the
// left, but do reverse the text.
if (curwin->w_p_rl && *curwin->w_p_rlc == 's') {
- char *r = reverse_text(trunc != NULL ? trunc : msgbuf);
+ char *r = reverse_text(msgbuf);
xfree(msgbuf);
msgbuf = r;
+ msgbuflen = strlen(msgbuf);
// move reversed text to beginning of buffer
while (*r == ' ') {
r++;
diff --git a/test/old/testdir/crash/reverse_text_overflow b/test/old/testdir/crash/reverse_text_overflow
Binary files differ.
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
@@ -150,6 +150,13 @@ func Test_crash1_2()
\ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
call TermWait(buf, 150)
+ let file = 'crash/reverse_text_overflow'
+ let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args ..
+ \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"
exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
\ 'crash 2: [OK]',
\ 'crash 3: [OK]',
\ 'crash 4: [OK]',
+ \ 'crash 5: [OK]',
\ ]
call assert_equal(expected, getline(1, '$'))
@@ -216,4 +224,11 @@ func Test_crash2()
exe buf .. "bw!"
endfunc
+func TearDown()
+ " That file is created at Test_crash1_3() by dialog_changed_uaf
+ " but cleaning up in that test doesn't remove it. Let's try again at
+ " the end of this test script
+ call delete('Untitled')
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
