vim-patch:9.1.2132: [security]: buffer-overflow in 'helpfile' option handling (#37735)

Problem: [security]: buffer-overflow in 'helpfile' option handling by using strcpy without bound checks (Rahul Hoysala) Solution: Limit strncpy to the length of the buffer (MAXPATHL) Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 0714b15940 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-03-30 20:32:08 +00:00 · 2026-02-06 07:40:51 +08:00
parent e40c5cb06d
commit db133879b2
2 changed files with 10 additions and 1 deletions
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@@ -2500,7 +2500,7 @@ int get_tagfname(tagname_T *tnp, int first, char *buf)
        return FAIL;
      }
      tnp->tn_hf_idx++;
-      STRCPY(buf, p_hf);
+      xstrlcpy(buf, p_hf, MAXPATHL);
      STRCPY(path_tail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
      slash_adjust(buf);
--- a/test/old/testdir/test_help.vim
+++ b/test/old/testdir/test_help.vim
@@ -296,4 +296,13 @@ func Test_help_command_termination()
  helpclose
 endfunc

+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab