From f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Mon, 23 Feb 2026 18:30:11 +0000 Subject: [PATCH] patch 9.2.0074: [security]: Crash with overlong emacs tag file Problem: Crash with overlong emacs tag file, because of an OOB buffer read (ehdgks0627, un3xploitable) Solution: Check for end of buffer and return early. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j Signed-off-by: Christian Brabandt CVE: CVE-2026-28418 Upstream-Status: Backport [https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d] Signed-off-by: Hitendra Prajapati --- src/tag.c | 3 +++ src/testdir/test_taglist.vim | 15 +++++++++++++++ src/version.c | 2 ++ 3 files changed, 20 insertions(+) diff --git a/src/tag.c b/src/tag.c index a32bbb2459..45af67f20d 100644 --- a/src/tag.c +++ b/src/tag.c @@ -1902,6 +1902,9 @@ emacs_tags_new_filename(findtags_state_T *st) for (p = st->ebuf; *p && *p != ','; p++) ; + // invalid + if (*p == NUL) + return; *p = NUL; // check for an included tags file. diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim index 5a946042be..506e64f7ae 100644 --- a/src/testdir/test_taglist.vim +++ b/src/testdir/test_taglist.vim @@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line() set tags& endfunc +" This used to crash Vim +func Test_evil_emacs_tagfile() + CheckFeature emacs_tags + let longline = repeat('a', 515) + call writefile([ + \ "\x0c", + \ longline + \ ], 'Xtags', 'D') + set tags=Xtags + + call assert_fails(':tag a', 'E426:') + + set tags& +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 712a3e637c..7d265ab641 100644 --- a/src/version.c +++ b/src/version.c @@ -724,6 +724,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1685, /**/ 1684, /**/ -- 2.50.1