neovim

Neovim text editor
git clone https://git.dasho.dev/neovim.git
Log | Files | Refs | README
commit 95ddabdb2b0995b39a13f14de0f5ecabcda00dcd
parent c4fdd3b072adc53206efa6310fdfd197f90c8b96
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sat, 28 Feb 2026 08:08:57 +0800

vim-patch:9.2.0074: [security]: Crash with overlong emacs tag file

Problem:  Crash with overlong emacs tag file, because of an OOB buffer
          read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j

https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d

Cherry-pick a change from patch 9.0.0767.
Add missing change from patch 9.2.0070.

Co-authored-by: Christian Brabandt <cb@256bit.org>

Diffstat:

Mtest/old/testdir/test_global.vim | 2+-


Mtest/old/testdir/test_taglist.vim | 18++++++++++++++++--


2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/test/old/testdir/test_global.vim b/test/old/testdir/test_global.vim
@@ -93,7 +93,7 @@ func Test_global_newline()
   call setline(1, ["foo\<NL>bar"])
   exe "g/foo/s/foo\\\<NL>bar/xyz/"
   call assert_equal('xyz', getline(1))
-  close!
+  bw!
 endfunc
 
 " Test :g with ? as delimiter.
diff --git a/test/old/testdir/test_taglist.vim b/test/old/testdir/test_taglist.vim
@@ -302,7 +302,7 @@ func Test_tag_complete_with_overlong_line()
       inboundGovernor	a	2;"	kind:⊢	type:forall (muxMode :: MuxMode) socket peerAddr versionNumber m a b. (MonadAsync m, MonadCatch m, MonadEvaluate m, MonadThrow m, MonadThrow (STM m), MonadTime m, MonadTimer m, MonadMask m, Ord peerAddr, HasResponder muxMode ~ True) => Tracer m (RemoteTransitionTrace peerAddr) -> Tracer m (InboundGovernorTrace peerAddr) -> ServerControlChannel muxMode peerAddr ByteString m a b -> DiffTime -> MuxConnectionManager muxMode socket peerAddr versionNumber ByteString m a b -> StrictTVar m InboundGovernorObservableState -> m Void
       inboundGovernorCounters	a	3;"	kind:⊢	type:InboundGovernorState muxMode peerAddr m a b -> InboundGovernorCounters
   END
-  call writefile(tagslines, 'Xtags')
+  call writefile(tagslines, 'Xtags', 'D')
   set tags=Xtags
 
   " try with binary search
@@ -315,7 +315,21 @@ func Test_tag_complete_with_overlong_line()
   call assert_equal('"tag inboundGSV inboundGovernor inboundGovernorCounters', @:)
   set tagbsearch&
 
-  call delete('Xtags')
+  set tags&
+endfunc
+
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+  CheckFeature emacs_tags
+  let longline = repeat('a', 515)
+  call writefile([
+	\ "\x0c",
+	\ longline
+	\ ], 'Xtags', 'D')
+  set tags=Xtags
+
+  call assert_fails(':tag a', 'E426:')
+
   set tags&
 endfunc