From: Christian Brabandt <cb@256bit.org>
Date: Thu, 5 Feb 2026 18:51:54 +0000 (+0000)
Subject: patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling
X-Git-Tag: v9.1.2132^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0714b15940b245108e6e9d7aa2260dd849a26fa9;p=thirdparty%2Fvim.git

patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling

Problem:  [security]: buffer-overflow in 'helpfile' option handling by
          using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 52121472a0..64c0882baa 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52474,8 +52474,12 @@ Solution: Fix incorrect return value of pagescroll(). Also invert the
           match comments (zeertzjq).
 
 Patch 9.1.2131
-
 Problem:  tests: Test_diff_screen() fails on BSD
 Solution: Use gdiff on BSD systems if available (zeertzjq).
 
+Patch 9.1.2132
+Problem:  [security]: buffer-overflow in 'helpfile' option handling by
+          using strcpy without bound checks (Rahul Hoysala)
+Solution: Limit strncpy to the length of the buffer (MAXPATHL)
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c
index 07890943f1..78e7c80a1a 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
 		return FAIL;
 	    ++tnp->tn_hf_idx;
-	    STRCPY(buf, p_hf);
+	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
 	    STRCPY(gettail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
 	    slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index df2b0c0abc..d30ef17b02 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -275,4 +275,13 @@ func Test_help_command_termination()
   helpclose
 endfunc
 
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+  let _helpfile = &helpfile
+  let &helpfile = repeat('A', 5000)
+  help
+  helpclose
+  let &helpfile = _helpfile
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c42ad8c032..88c82b78b8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2132,
 /**/
     2131,
 /**/