patch 9.2.0284: tabpanel: crash when tabpanel expression returns variable line count

chrisbra · mmajchrowicz-afine · chrisbra · commit b2fbb7c32de0 · 2026-04-02T17:37:58.000Z
Problem:  When a tabpanel expression returns a different number of lines on
          successive evaluations, the computed row offset can become negative,
          causing screen_fill() to receive an invalid start_row and crash
          (after v9.1.1391).
Solution: Clamp the row argument in screen_fill_tailing_area() to zero,
          add a safety check in screen_fill() for negative start_row
          (Michał Majchrowicz)

Supported by AI

Co-authored-by: Michał Majchrowicz &lt;mmajchrowicz@afine.com&gt;
Signed-off-by: Christian Brabandt &lt;cb@256bit.org&gt;
diff --git a/src/screen.c b/src/screen.c
@@ -2498,6 +2498,7 @@ screen_fill(
     if (end_col > screen_Columns)	// safety check
 	end_col = screen_Columns;
     if (ScreenLines == NULL
+	    || start_row < 0		// should not happen
 	    || start_row >= end_row
 	    || start_col >= end_col)	// nothing to do
 	return;
diff --git a/src/tabpanel.c b/src/tabpanel.c
@@ -544,7 +544,7 @@ do_by_tplmode(
     }
 
     // fill the area of TabPanelFill.
-    screen_fill_tailing_area(tplmode, row - args.offsetrow, args.maxrow,
+    screen_fill_tailing_area(tplmode, MAX(row - args.offsetrow, 0), args.maxrow,
 	    args.col_start, args.col_end, attr_tplf);
 }
 
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
@@ -892,4 +892,35 @@ func Test_tabpanel_large_columns()
   call assert_fails(':set tabpanelopt=columns:-1', 'E474:')
 endfunc
 
+func Test_tabpanel_variable_height()
+  CheckFeature tabpanel
+
+  let save_lines = &lines
+  let save_showtabpanel = &showtabpanel
+  let save_tabpanel = &tabpanel
+
+  set lines=10
+  tabnew | tabnew | tabnew | tabnew | tabnew
+
+  let g:tpl_n = 0
+  func! GetTpl() abort
+    let g:tpl_n += 1
+    return g:tpl_n <= 5 ? "x\nx" : "x"
+  endfunc
+
+  set showtabpanel=2
+  let &tabpanel = "%!GetTpl()"
+
+  " Should not crash
+  redraw!
+
+  " Cleanup
+  let &tabpanel = save_tabpanel
+  let &showtabpanel = save_showtabpanel
+  let &lines = save_lines
+  delfunc GetTpl
+  unlet g:tpl_n
+  %bwipeout!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    284,
 /**/
     283,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -544,7 +544,7 @@ do_by_tplmode(`
`544`	`544`	`}`
`545`	`545`
`546`	`546`	`// fill the area of TabPanelFill.`
`547`		`- screen_fill_tailing_area(tplmode, row - args.offsetrow, args.maxrow,`
	`547`	`+ screen_fill_tailing_area(tplmode, MAX(row - args.offsetrow, 0), args.maxrow,`
`548`	`548`	`args.col_start, args.col_end, attr_tplf);`
`549`	`549`	`}`
`550`	`550`