From 870e50f0ff153d35656e8f59eaf4c1ac3709b331 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Mon, 6 Apr 2026 11:24:20 +0800 Subject: [PATCH] vim-patch:9.2.0293: :packadd may lead to heap-buffer-overflow Problem: :packadd may lead to heap-buffer-overflow when all entries in 'runtimepath' have the same length (after 9.2.0291). Solution: Check for comma after current entry properly (zeertzjq). related: vim/vim#19854 closes: vim/vim#19911 https://github.com/vim/vim/commit/bc182ae56eb71b94738aaa3bd607c32f584fc200 --- src/nvim/runtime.c | 2 +- test/old/testdir/test_packadd.vim | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/nvim/runtime.c b/src/nvim/runtime.c index 8f577b971d..e1b797c7a0 100644 --- a/src/nvim/runtime.c +++ b/src/nvim/runtime.c @@ -1076,7 +1076,7 @@ static int add_pack_dir_to_rtp(char *fname, bool is_pack) buf.size = copy_option_part((char **)&entry, buf.data, MAXPATHL, ","); // keep track of p_rtp length as we go to make the strlen() below have less work to do - p_rtp_len += (*(p_rtp + buf.size) == ',') ? buf.size + 1 : buf.size; + p_rtp_len += (*(cur_entry + buf.size) == ',') ? buf.size + 1 : buf.size; char *p = strstr(buf.data, "after"); bool is_after = p != NULL diff --git a/test/old/testdir/test_packadd.vim b/test/old/testdir/test_packadd.vim index 47cf520bb9..45d017e372 100644 --- a/test/old/testdir/test_packadd.vim +++ b/test/old/testdir/test_packadd.vim @@ -27,6 +27,13 @@ func Test_packadd() " plugdir should be inserted before plugdir/after call assert_match('^nosuchdir,' . s:plugdir . ',', &rtp) + " This used to cause heep-buffer-overflow + " All existing entries in 'rtp' have the same length here + let &rtp = 'Xfoodir,Xbardir,Xbazdir' + packadd mytest + " plugdir should be inserted after the existing directories + call assert_match('^Xfoodir,Xbardir,Xbazdir,' .. s:plugdir .. ',', &rtp) + set rtp& let rtp = &rtp filetype on