]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
projects / thirdparty / vim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8bd1b7c)
patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling v9.1.2132
authorChristian Brabandt <cb@256bit.org>
Thu, 5 Feb 2026 18:51:54 +0000 (18:51 +0000)
committerChristian Brabandt <cb@256bit.org>
Thu, 5 Feb 2026 19:01:12 +0000 (19:01 +0000)
Problem:  [security]: buffer-overflow in 'helpfile' option handling by
          using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43

Signed-off-by: Christian Brabandt <cb@256bit.org>
runtime/doc/version9.txt patch | blob | blame | history
src/tag.c patch | blob | blame | history
src/testdir/test_help.vim patch | blob | blame | history
src/version.c patch | blob | blame | history

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 52121472a0e23cc687ce5ee753f54cc5fb11d221..64c0882baad37843349f44207940c25d5659d08e 100644 (file)
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52474,8 +52474,12 @@ Solution: Fix incorrect return value of pagescroll(). Also invert the
           match comments (zeertzjq).
 
 Patch 9.1.2131
-
 Problem:  tests: Test_diff_screen() fails on BSD
 Solution: Use gdiff on BSD systems if available (zeertzjq).
 
+Patch 9.1.2132
+Problem:  [security]: buffer-overflow in 'helpfile' option handling by
+          using strcpy without bound checks (Rahul Hoysala)
+Solution: Limit strncpy to the length of the buffer (MAXPATHL)
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c
index 07890943f1ea266f67a8b78a38eb03b5a2d23622..78e7c80a1a034d3bcfebe54ebdabdb2491f4147b 100644 (file)
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
            if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
                return FAIL;
            ++tnp->tn_hf_idx;
-           STRCPY(buf, p_hf);
+           vim_strncpy(buf, p_hf, MAXPATHL - 1);
            STRCPY(gettail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
            slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index df2b0c0abc7bbbfd73024ab957eda829d4c8a8ab..d30ef17b02b949e72bf872befedb9aaf07873990 100644 (file)
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -275,4 +275,13 @@ func Test_help_command_termination()
   helpclose
 endfunc
 
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c42ad8c0325bc958cd5278ca34cf7b0905ce28c8..88c82b78b82a1e36da3da8f00a8ff726f375dff6 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2132,
 /**/
     2131,
 /**/
Mirror of https://github.com/vim/vim.git