patch 9.2.0271: buffer underflow in vim_fgets()

Problem:  buffer underflow in vim_fgets()
Solution: Ensure size is always greater than 1
          (Koda Reef)

Signed-off-by: Koda Reef <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>

Author: kodareef5

src/fileio.c

@@ -3833,6 +3833,14 @@ vim_fgets(char_u *buf, int size, FILE *fp)
 #define FGETS_SIZE 200
     char	tbuf[FGETS_SIZE];
 
+    // safety check
+    if (size < 2)
+    {
+	if (size == 1)
+	    buf[0] = NUL;
+	return TRUE;
+    }
+
     buf[size - 2] = NUL;
     eof = fgets((char *)buf, size, fp);
     if (buf[size - 2] != NUL && buf[size - 2] != '\n')

src/testdir/test_viminfo.vim

@@ -1351,4 +1351,24 @@ func Test_viminfo_global_var()
   let &viminfo = _viminfo
 endfunc
 
+func Test_viminfo_len_one()
+  let _viminfofile = &viminfofile
+  let &viminfofile=''
+  let viminfo_file = tempname()
+  call histadd('cmd', '" TEST')
+  defer delete(viminfo_file)
+
+  " Craft a viminfo entry with ^V1 length prefix (len == 1)
+  call writefile([
+      \ '*encoding=utf-8',
+      \ ':' .. "\x161" .. 'X',
+      \ ], viminfo_file, 'b')
+
+  " Should not crash or cause memory errors
+  exe 'rviminfo! ' .. viminfo_file
+  call assert_equal('" TEST', histget(':', -1))
+
+  let &viminfofile = _viminfofile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    271,
 /**/
     270,
 /**/

src/viminfo.c

@@ -265,7 +265,7 @@ viminfo_readstring(
     if (virp->vir_line[off] == Ctrl_V && vim_isdigit(virp->vir_line[off + 1]))
     {
 	len = atol((char *)virp->vir_line + off + 1);
-	if (len > 0 && len < 1000000)
+	if (len > 1 && len < 1000000)
 	    retval = lalloc(len, TRUE);
 	if (retval == NULL)
 	{