mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-03-28 03:12:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.2.0074: [security]: Crash with overlong emacs tag file

Browse Source 
Problem:  Crash with overlong emacs tag file, because of an OOB buffer
          read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j

f6a7f469a9

Cherry-pick a change from patch 9.0.0767.
Add missing change from patch 9.2.0070.

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2026-02-28 08:08:57 +08:00
parent c4fdd3b072
commit 95ddabdb2b
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
test/old/testdir/test_global.vim
View File

@@ -93,7 +93,7 @@ func Test_global_newline()
call setline(1, ["foo\<NL>bar"])
exe "g/foo/s/foo\\\<NL>bar/xyz/"
call assert_equal('xyz', getline(1))
close!
bw!
endfunc
" Test :g with ? as delimiter.

18
test/old/testdir/test_taglist.vim
View File

@@ -302,7 +302,7 @@ func Test_tag_complete_with_overlong_line()
inboundGovernor a 2;" kind:⊢ type:forall (muxMode :: MuxMode) socket peerAddr versionNumber m a b. (MonadAsync m, MonadCatch m, MonadEvaluate m, MonadThrow m, MonadThrow (STM m), MonadTime m, MonadTimer m, MonadMask m, Ord peerAddr, HasResponder muxMode ~ True) => Tracer m (RemoteTransitionTrace peerAddr) -> Tracer m (InboundGovernorTrace peerAddr) -> ServerControlChannel muxMode peerAddr ByteString m a b -> DiffTime -> MuxConnectionManager muxMode socket peerAddr versionNumber ByteString m a b -> StrictTVar m InboundGovernorObservableState -> m Void
inboundGovernorCounters a 3;" kind:⊢ type:InboundGovernorState muxMode peerAddr m a b -> InboundGovernorCounters
END
call writefile(tagslines, 'Xtags')
call writefile(tagslines, 'Xtags', 'D')
set tags=Xtags
" try with binary search
@@ -315,7 +315,21 @@ func Test_tag_complete_with_overlong_line()
call assert_equal('"tag inboundGSV inboundGovernor inboundGovernorCounters', @:)
set tagbsearch&
call delete('Xtags')
set tags&
endfunc
" This used to crash Vim
func Test_evil_emacs_tagfile()
CheckFeature emacs_tags
let longline = repeat('a', 515)
call writefile([
\ "\x0c",
\ longline
\ ], 'Xtags', 'D')
set tags=Xtags
call assert_fails(':tag a', 'E426:')
set tags&
endfunc