From dd9ed46a39df8a8b08ef4b491fdf53bcbfdc0c2d Mon Sep 17 00:00:00 2001 From: Yee Cheng Chin Date: Sat, 4 Oct 2025 10:26:55 +0000 Subject: [PATCH] patch 9.1.1823: diff: w_topline may be invalidated Problem: diff: w_topline may be invalidated Solution: Update lnum in diff_set_topline() (Yee Cheng Chin). This can happen in ex_diffupdate() for certain edge cases which cause the logic to now be wrong. This was also the root cause for #18437 where Vim would crash due to a null pointer dereferencing (said pointer would not be null under normal circumstances). related: #18437 closes: #18484 Signed-off-by: Yee Cheng Chin Signed-off-by: Christian Brabandt --- src/diff.c | 5 +++-- src/version.c | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/diff.c b/src/diff.c index ec0640c56a..0beee845ca 100644 --- a/src/diff.c +++ b/src/diff.c @@ -2254,7 +2254,7 @@ calculate_topfill_and_topline( // move the same amount of virtual lines in the target buffer to find the // cursor's line number - if (thistopdiff != NULL) + if (thistopdiff != NULL) // this should not be null, but just for safety curlinenum_to = thistopdiff->df_lnum[toidx]; int virt_lines_left = virtual_lines_passed; @@ -2681,7 +2681,7 @@ diff_check_fill(win_T *wp, linenr_T lnum) diff_set_topline(win_T *fromwin, win_T *towin) { buf_T *frombuf = fromwin->w_buffer; - linenr_T lnum = fromwin->w_topline; + linenr_T lnum; int fromidx; int toidx; diff_T *dp; @@ -2693,6 +2693,7 @@ diff_set_topline(win_T *fromwin, win_T *towin) if (curtab->tp_diff_invalid) ex_diffupdate(NULL); // update after a big change + lnum = fromwin->w_topline; towin->w_topfill = 0; // search for a change that includes "lnum" in the list of diffblocks. diff --git a/src/version.c b/src/version.c index 2ff94aba6d..30a9d76ddd 100644 --- a/src/version.c +++ b/src/version.c @@ -729,6 +729,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1823, /**/ 1822, /**/