From e85fc92a6ba4b2bf165b360846b6fb460e98ab52 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 28 Feb 2026 08:11:48 +0800
Subject: [PATCH] vim-patch:9.2.0075: [security]: Buffer underflow with emacs
 tag file

Problem:  When parsing a malformed Emacs-style tags file, a 1-byte
          heap-buffer-underflow read occurs if the 0x7f delimiter
          appears at the very beginning of a line. This happens
          because the code attempts to scan backward for a tag
          name from the delimiter without checking if space exists.
          (ehdgks0627, un3xploitable)
Solution: Add a check to ensure the delimiter (p_7f) is not at the
          start of the buffer (lbuf) before attempting to isolate
          the tag name.

GitHub Advisory:
https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv

https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 test/old/testdir/test_taglist.vim | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/test/old/testdir/test_taglist.vim b/test/old/testdir/test_taglist.vim
index d2e6036e7b..869d684987 100644
--- a/test/old/testdir/test_taglist.vim
+++ b/test/old/testdir/test_taglist.vim
@@ -333,4 +333,20 @@ func Test_evil_emacs_tagfile()
   set tags&
 endfunc
 
+" This used to crash Vim due to a heap-buffer-underflow
+func Test_emacs_tagfile_underflow()
+  CheckFeature emacs_tags
+  " The sequence from the crash artifact:
+  let lines = [
+    \ "\x0c\xff\xffT\x19\x8a",
+    \ "\x19\x19\x0dtags\x19\x19\x19\x00\xff\xff\xff",
+    \ "\x7f3\x0c"
+    \ ]
+  call writefile(lines, 'Xtags', 'D')
+  set tags=Xtags
+  call assert_fails(':tag a', 'E431:')
+
+  set tags&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab