commit e85fc92a6ba4b2bf165b360846b6fb460e98ab52
parent 95ddabdb2b0995b39a13f14de0f5ecabcda00dcd
Author: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 28 Feb 2026 08:11:48 +0800
vim-patch:9.2.0075: [security]: Buffer underflow with emacs tag file
Problem: When parsing a malformed Emacs-style tags file, a 1-byte
heap-buffer-underflow read occurs if the 0x7f delimiter
appears at the very beginning of a line. This happens
because the code attempts to scan backward for a tag
name from the delimiter without checking if space exists.
(ehdgks0627, un3xploitable)
Solution: Add a check to ensure the delimiter (p_7f) is not at the
start of the buffer (lbuf) before attempting to isolate
the tag name.
GitHub Advisory:
https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv
https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
1 file changed, 16 insertions(+), 0 deletions(-)
diff --git a/test/old/testdir/test_taglist.vim b/test/old/testdir/test_taglist.vim
@@ -333,4 +333,20 @@ func Test_evil_emacs_tagfile()
set tags&
endfunc
+" This used to crash Vim due to a heap-buffer-underflow
+func Test_emacs_tagfile_underflow()
+ CheckFeature emacs_tags
+ " The sequence from the crash artifact:
+ let lines = [
+ \ "\x0c\xff\xffT\x19\x8a",
+ \ "\x19\x19\x0dtags\x19\x19\x19\x00\xff\xff\xff",
+ \ "\x7f3\x0c"
+ \ ]
+ call writefile(lines, 'Xtags', 'D')
+ set tags=Xtags
+ call assert_fails(':tag a', 'E431:')
+
+ set tags&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
