mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-04-06 07:38:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.2132: [security]: buffer-overflow in 'helpfile' option handling (#37735)

Browse Source 
Problem:  [security]: buffer-overflow in 'helpfile' option handling by
          using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43

0714b15940

Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit db133879b2)
This commit is contained in:
zeertzjq
2026-02-06 07:40:51 +08:00
committed by github-actions[bot]
parent a3c8c593f2
commit 4792c29969
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/nvim/tag.c
View File

@@ -2495,7 +2495,7 @@ int get_tagfname(tagname_T *tnp, int first, char *buf)
return FAIL; return FAIL;
} }
tnp->tn_hf_idx++; tnp->tn_hf_idx++;
STRCPY(buf, p_hf); xstrlcpy(buf, p_hf, MAXPATHL);
STRCPY(path_tail(buf), "tags"); STRCPY(path_tail(buf), "tags");
#ifdef BACKSLASH_IN_FILENAME #ifdef BACKSLASH_IN_FILENAME
slash_adjust(buf); slash_adjust(buf);

9
test/old/testdir/test_help.vim
View File

@@ -232,4 +232,13 @@ func Test_help_using_visual_match()
endfunc endfunc
" This caused a buffer overflow
func Test_helpfile_overflow()
let _helpfile = &helpfile
let &helpfile = repeat('A', 5000)
help
helpclose
let &helpfile = _helpfile
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab