vim-patch:9.2.0075: [security]: Buffer underflow with emacs tag file

Problem: When parsing a malformed Emacs-style tags file, a 1-byte heap-buffer-underflow read occurs if the 0x7f delimiter appears at the very beginning of a line. This happens because the code attempts to scan backward for a tag name from the delimiter without checking if space exists. (ehdgks0627, un3xploitable) Solution: Add a check to ensure the delimiter (p_7f) is not at the start of the buffer (lbuf) before attempting to isolate the tag name. GitHub Advisory: https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv 9b7dfa2948 Co-authored-by: Christian Brabandt <cb@256bit.org>
2026-03-28 03:12:00 +00:00 · 2026-02-28 08:11:48 +08:00
parent 95ddabdb2b
commit e85fc92a6b
1 changed files with 16 additions and 0 deletions
--- a/test/old/testdir/test_taglist.vim
+++ b/test/old/testdir/test_taglist.vim
@@ -333,4 +333,20 @@ func Test_evil_emacs_tagfile()
  set tags&
 endfunc

+" This used to crash Vim due to a heap-buffer-underflow
+func Test_emacs_tagfile_underflow()
+  CheckFeature emacs_tags
+  " The sequence from the crash artifact:
+  let lines = [
+    \ "\x0c\xff\xffT\x19\x8a",
+    \ "\x19\x19\x0dtags\x19\x19\x19\x00\xff\xff\xff",
+    \ "\x7f3\x0c"
+    \ ]
+  call writefile(lines, 'Xtags', 'D')
+  set tags=Xtags
+  call assert_fails(':tag a', 'E431:')
+
+  set tags&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab