From 95ddabdb2b0995b39a13f14de0f5ecabcda00dcd Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sat, 28 Feb 2026 08:08:57 +0800 Subject: [PATCH] vim-patch:9.2.0074: [security]: Crash with overlong emacs tag file Problem: Crash with overlong emacs tag file, because of an OOB buffer read (ehdgks0627, un3xploitable) Solution: Check for end of buffer and return early. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d Cherry-pick a change from patch 9.0.0767. Add missing change from patch 9.2.0070. Co-authored-by: Christian Brabandt --- test/old/testdir/test_global.vim | 2 +- test/old/testdir/test_taglist.vim | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/test/old/testdir/test_global.vim b/test/old/testdir/test_global.vim index e9a7a5b984..7624428059 100644 --- a/test/old/testdir/test_global.vim +++ b/test/old/testdir/test_global.vim @@ -93,7 +93,7 @@ func Test_global_newline() call setline(1, ["foo\bar"]) exe "g/foo/s/foo\\\bar/xyz/" call assert_equal('xyz', getline(1)) - close! + bw! endfunc " Test :g with ? as delimiter. diff --git a/test/old/testdir/test_taglist.vim b/test/old/testdir/test_taglist.vim index fbb682a9b2..d2e6036e7b 100644 --- a/test/old/testdir/test_taglist.vim +++ b/test/old/testdir/test_taglist.vim @@ -302,7 +302,7 @@ func Test_tag_complete_with_overlong_line() inboundGovernor a 2;" kind:⊢ type:forall (muxMode :: MuxMode) socket peerAddr versionNumber m a b. (MonadAsync m, MonadCatch m, MonadEvaluate m, MonadThrow m, MonadThrow (STM m), MonadTime m, MonadTimer m, MonadMask m, Ord peerAddr, HasResponder muxMode ~ True) => Tracer m (RemoteTransitionTrace peerAddr) -> Tracer m (InboundGovernorTrace peerAddr) -> ServerControlChannel muxMode peerAddr ByteString m a b -> DiffTime -> MuxConnectionManager muxMode socket peerAddr versionNumber ByteString m a b -> StrictTVar m InboundGovernorObservableState -> m Void inboundGovernorCounters a 3;" kind:⊢ type:InboundGovernorState muxMode peerAddr m a b -> InboundGovernorCounters END - call writefile(tagslines, 'Xtags') + call writefile(tagslines, 'Xtags', 'D') set tags=Xtags " try with binary search @@ -315,7 +315,21 @@ func Test_tag_complete_with_overlong_line() call assert_equal('"tag inboundGSV inboundGovernor inboundGovernorCounters', @:) set tagbsearch& - call delete('Xtags') + set tags& +endfunc + +" This used to crash Vim +func Test_evil_emacs_tagfile() + CheckFeature emacs_tags + let longline = repeat('a', 515) + call writefile([ + \ "\x0c", + \ longline + \ ], 'Xtags', 'D') + set tags=Xtags + + call assert_fails(':tag a', 'E426:') + set tags& endfunc