From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 6 Feb 2026 09:37:58 +0000 (+0000)
Subject: patch 9.1.2133: Another case of buffer overflow with 'helpfile'
X-Git-Tag: v9.1.2133^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21d591fb12b08b52d92253bf9ac4b866475d62d6;p=thirdparty%2Fvim.git

patch 9.1.2133: Another case of buffer overflow with 'helpfile'

Problem:  Another case of buffer overflow with 'helpfile'.
Solution: Leave room for "tags" in the buffer (zeertzjq).

closes: #19340

Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 64c0882baa..5b43fa91bf 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -1,4 +1,4 @@
-*version9.txt*	For Vim version 9.1.  Last change: 2026 Feb 04
+*version9.txt*	For Vim version 9.1.  Last change: 2026 Feb 06
 
 
 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
@@ -52482,4 +52482,8 @@ Problem:  [security]: buffer-overflow in 'helpfile' option handling by
           using strcpy without bound checks (Rahul Hoysala)
 Solution: Limit strncpy to the length of the buffer (MAXPATHL)
 
+Patch 9.1.2133
+Problem:  Another case of buffer overflow with 'helpfile'.
+Solution: Leave room for "tags" in the buffer (zeertzjq).
+
  vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c
index 78e7c80a1a..6968aac27c 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
 	    if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
 		return FAIL;
 	    ++tnp->tn_hf_idx;
-	    vim_strncpy(buf, p_hf, MAXPATHL - 1);
+	    vim_strncpy(buf, p_hf, MAXPATHL - STRLEN_LITERAL("tags") - 1);
 	    STRCPY(gettail(buf), "tags");
 #ifdef BACKSLASH_IN_FILENAME
 	    slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index d30ef17b02..1a52998f9f 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -281,6 +281,11 @@ func Test_helpfile_overflow()
   let &helpfile = repeat('A', 5000)
   help
   helpclose
+  for i in range(4089, 4096)
+    let &helpfile = repeat('A', i) .. '/A'
+    help
+    helpclose
+  endfor
   let &helpfile = _helpfile
 endfunc
 
diff --git a/src/version.c b/src/version.c
index 88c82b78b8..fea5c51edf 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2133,
 /**/
     2132,
 /**/