From db133879b2a115cdf982b2899f154f1851d59a60 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 6 Feb 2026 07:40:51 +0800
Subject: [PATCH] vim-patch:9.1.2132: [security]: buffer-overflow in 'helpfile'
 option handling (#37735)

Problem:  [security]: buffer-overflow in 'helpfile' option handling by
          using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43

https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/tag.c                 | 2 +-
 test/old/testdir/test_help.vim | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/nvim/tag.c b/src/nvim/tag.c
index 7dd4cd39d1..17ca81ed0a 100644
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@@ -2500,7 +2500,7 @@ int get_tagfname(tagname_T *tnp, int first, char *buf)
         return FAIL;
       }
       tnp->tn_hf_idx++;
-      STRCPY(buf, p_hf);
+      xstrlcpy(buf, p_hf, MAXPATHL);
       STRCPY(path_tail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
       slash_adjust(buf);
diff --git a/test/old/testdir/test_help.vim b/test/old/testdir/test_help.vim
index e2ae06d486..c9371221d1 100644
--- a/test/old/testdir/test_help.vim
+++ b/test/old/testdir/test_help.vim
@@ -296,4 +296,13 @@ func Test_help_command_termination()
   helpclose
 endfunc
 
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab