From: Christian Brabandt <cb@256bit.org>
Date: Mon, 23 Feb 2026 18:30:11 +0000 (+0000)
Subject: patch 9.2.0074: [security]: Crash with overlong emacs tag file
X-Git-Tag: v9.2.0074^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d;p=thirdparty%2Fvim.git

patch 9.2.0074: [security]: Crash with overlong emacs tag file

Problem:  Crash with overlong emacs tag file, because of an OOB buffer
          read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/tag.c b/src/tag.c
index 6968aac27c..4e0cb9a6cd 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -1901,6 +1901,9 @@ emacs_tags_new_filename(findtags_state_T *st)
 
     for (p = st->ebuf; *p && *p != ','; p++)
 	;
+    // invalid
+    if (*p == NUL)
+	return;
     *p = NUL;
 
     // check for an included tags file.
diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 5a946042be..506e64f7ae 100644
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line()
   set tags&
 endfunc
 
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+  CheckFeature emacs_tags
+  let longline = repeat('a', 515)
+  call writefile([
+	\ "\x0c",
+	\ longline
+	\ ], 'Xtags', 'D')
+  set tags=Xtags
+
+  call assert_fails(':tag a', 'E426:')
+
+  set tags&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 3d969453bc..c44e31e5fa 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    74,
 /**/
     73,
 /**/