vim-patch:9.1.2132: [security]: buffer-overflow in 'helpfile' option handling (#37735)

Problem: [security]: buffer-overflow in 'helpfile' option handling by using strcpy without bound checks (Rahul Hoysala) Solution: Limit strncpy to the length of the buffer (MAXPATHL) Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 0714b15940 Co-authored-by: Christian Brabandt <cb@256bit.org> (cherry picked from commit db133879b2)
2026-02-23 19:02:13 +10:00 · 2026-02-06 07:40:51 +08:00
parent a3c8c593f2
commit 4792c29969
2 changed files with 10 additions and 1 deletions
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@@ -2495,7 +2495,7 @@ int get_tagfname(tagname_T *tnp, int first, char *buf)
        return FAIL;
      }
      tnp->tn_hf_idx++;
-      STRCPY(buf, p_hf);
+      xstrlcpy(buf, p_hf, MAXPATHL);
      STRCPY(path_tail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
      slash_adjust(buf);
--- a/test/old/testdir/test_help.vim
+++ b/test/old/testdir/test_help.vim
@@ -232,4 +232,13 @@ func Test_help_using_visual_match()
 endfunc


+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab