From 03e68ad5d39170199955aba44e4fcd92bca550ab Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 6 Feb 2026 18:29:24 +0800
Subject: [PATCH] vim-patch:9.1.2133: Another case of buffer overflow with
 'helpfile' (#37746)

Problem:  Another case of buffer overflow with 'helpfile'.
Solution: Leave room for "tags" in the buffer (zeertzjq).

closes: vim/vim#19340

https://github.com/vim/vim/commit/21d591fb12b08b52d92253bf9ac4b866475d62d6
(cherry picked from commit 15061d322dcd075aec21dccc31c6205b13880b94)
---
 src/nvim/tag.c                 | 2 +-
 test/old/testdir/test_help.vim | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/nvim/tag.c b/src/nvim/tag.c
index ce8e75253d..c97f63b62f 100644
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@@ -2495,7 +2495,7 @@ int get_tagfname(tagname_T *tnp, int first, char *buf)
         return FAIL;
       }
       tnp->tn_hf_idx++;
-      xstrlcpy(buf, p_hf, MAXPATHL);
+      xstrlcpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags"));
       STRCPY(path_tail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
       slash_adjust(buf);
diff --git a/test/old/testdir/test_help.vim b/test/old/testdir/test_help.vim
index 77f893a90f..0eb3a2730a 100644
--- a/test/old/testdir/test_help.vim
+++ b/test/old/testdir/test_help.vim
@@ -238,6 +238,11 @@ func Test_helpfile_overflow()
   let &helpfile = repeat('A', 5000)
   help
   helpclose
+  for i in range(4089, 4096)
+    let &helpfile = repeat('A', i) .. '/A'
+    help
+    helpclose
+  endfor
   let &helpfile = _helpfile
 endfunc