From 3e7f0a13e19b9a4921915a432d4517cc655f4e7c Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Thu, 6 Mar 2025 07:08:53 +0800 Subject: [PATCH] vim-patch:9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file (#32739) Problem: heap-buffer-overflow with 'nostartofline' and Ex command in tag file. Solution: Set cursor column when moving cursor to line 1 (zeertzjq). closes: vim/vim#16796 https://github.com/vim/vim/commit/3ed6659549e447ff00def8edc841321e497f70a8 --- src/nvim/tag.c | 2 ++ test/old/testdir/test_tagjump.vim | 35 +++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/src/nvim/tag.c b/src/nvim/tag.c index 0ee54ef10b..39afe2c585 100644 --- a/src/nvim/tag.c +++ b/src/nvim/tag.c @@ -3014,6 +3014,8 @@ static int jumpto_tag(const char *lbuf_arg, int forceit, bool keep_help) secure = 1; sandbox++; curwin->w_cursor.lnum = 1; // start command in line 1 + curwin->w_cursor.col = 0; + curwin->w_cursor.coladd = 0; do_cmdline_cmd(pbuf); retval = OK; diff --git a/test/old/testdir/test_tagjump.vim b/test/old/testdir/test_tagjump.vim index ff1110e070..34a94cdd62 100644 --- a/test/old/testdir/test_tagjump.vim +++ b/test/old/testdir/test_tagjump.vim @@ -1623,4 +1623,39 @@ func Test_tagbsearch() set tags& tagbsearch& endfunc +" Test tag guessing with very short names +func Test_tag_guess_short() + call writefile(["!_TAG_FILE_ENCODING\tutf-8\t//", + \ "y\tXf\t/^y()/"], + \ 'Xt', 'D') + set tags=Xt cpoptions+=t + call writefile(['', 'int * y () {}', ''], 'Xf', 'D') + + let v:statusmsg = '' + let @/ = '' + ta y + call assert_match('E435:', v:statusmsg) + call assert_equal(2, line('.')) + call assert_match('