From e0065a61a42bdff9c75aa18104f8ff546938395f Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Thu, 5 Feb 2026 18:51:54 +0000 Subject: [PATCH] patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling Problem: [security]: buffer-overflow in 'helpfile' option handling by using strcpy without bound checks (Rahul Hoysala) Solution: Limit strncpy to the length of the buffer (MAXPATHL) Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 CVE: CVE-2026-25749 Upstream-Status: Backport [https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9] Backport Changes: - Excluded changes to src/version.c and runtime/doc/version9.txt from this backport. This file only tracks upstream version increments. We are applying a security fix, not a version upgrade. These changes were skipped to maintain current package versioning and avoid merge conflicts. Signed-off-by: Christian Brabandt (cherry picked from commit 0714b15940b245108e6e9d7aa2260dd849a26fa9) Signed-off-by: Anil Dongare --- src/tag.c | 2 +- src/testdir/test_help.vim | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/tag.c b/src/tag.c index 6912e8743..a32bbb245 100644 --- a/src/tag.c +++ b/src/tag.c @@ -3348,7 +3348,7 @@ get_tagfname( if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL) return FAIL; ++tnp->tn_hf_idx; - STRCPY(buf, p_hf); + vim_strncpy(buf, p_hf, MAXPATHL - 1); STRCPY(gettail(buf), "tags"); #ifdef BACKSLASH_IN_FILENAME slash_adjust(buf); diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim index dac153d86..f9e4686bb 100644 --- a/src/testdir/test_help.vim +++ b/src/testdir/test_help.vim @@ -222,4 +222,13 @@ func Test_helptag_navigation() endfunc +" This caused a buffer overflow +func Test_helpfile_overflow() + let _helpfile = &helpfile + let &helpfile = repeat('A', 5000) + help + helpclose + let &helpfile = _helpfile +endfunc + " vim: shiftwidth=2 sts=2 expandtab -- 2.43.7