patch 9.1.2133: Another case of buffer overflow with 'helpfile'

author zeertzjq <zeertzjq@outlook.com>

Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)

committer Christian Brabandt <cb@256bit.org>

Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)
author zeertzjq <zeertzjq@outlook.com>
Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)
committer Christian Brabandt <cb@256bit.org>
Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt

index 64c0882baad37843349f44207940c25d5659d08e..5b43fa91bf8da2e73b6875aa0edcd0a003fbbe37 100644 (file)
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -1,4 +1,4 @@
-*version9.txt* For Vim version 9.1.  Last change: 2026 Feb 04
+*version9.txt* For Vim version 9.1.  Last change: 2026 Feb 06
  
  
                   VIM REFERENCE MANUAL    by Bram Moolenaar
@@ -52482,4 +52482,8 @@ Problem:  [security]: buffer-overflow in 'helpfile' option handling by
            using strcpy without bound checks (Rahul Hoysala)
  Solution: Limit strncpy to the length of the buffer (MAXPATHL)
  
+Patch 9.1.2133
+Problem:  Another case of buffer overflow with 'helpfile'.
+Solution: Leave room for "tags" in the buffer (zeertzjq).
+
   vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c

index 78e7c80a1a034d3bcfebe54ebdabdb2491f4147b..6968aac27c499a8b89d2536ed5522b0521946e4a 100644 (file)
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
             if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
                 return FAIL;
             ++tnp->tn_hf_idx;
-           vim_strncpy(buf, p_hf, MAXPATHL - 1);
+           vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1);
             STRCPY(gettail(buf), "tags");
  #ifdef BACKSLASH_IN_FILENAME
             slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim

index d30ef17b02b949e72bf872befedb9aaf07873990..1a52998f9f32332fbeb999dfaa9a094fe6ebf0d3 100644 (file)
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -281,6 +281,11 @@ func Test_helpfile_overflow()
    let &helpfile = repeat('A', 5000)
    help
    helpclose
+  for i in range(4089, 4096)
+    let &helpfile = repeat('A', i) .. '/A'
+    help
+    helpclose
+  endfor
    let &helpfile = _helpfile
  endfunc
  
diff --git a/src/version.c b/src/version.c

index 88c82b78b82a1e36da3da8f00a8ff726f375dff6..fea5c51edfe7ac056173e56183810a16f674dbb7 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    2133,
  /**/
      2132,
  /**/
author	zeertzjq <zeertzjq@outlook.com>
	Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Fri, 6 Feb 2026 09:37:58 +0000 (09:37 +0000)
runtime/doc/version9.txt		patch \| blob \| blame \| history
src/tag.c		patch \| blob \| blame \| history
src/testdir/test_help.vim		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history