patch 9.2.0074: [security]: Crash with overlong emacs tag file

Problem:  Crash with overlong emacs tag file, because of an OOB buffer
          read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/tag.c b/src/tag.c
index 6968aac27c499a8b89d2536ed5522b0521946e4a..4e0cb9a6cda6a876b9105bc0f721644e5a77c4ca 100644 (file)
--- a/src/tag.c
+++ b/src/tag.c
@@ -1901,6 +1901,9 @@ emacs_tags_new_filename(findtags_state_T *st)
 
     for (p = st->ebuf; *p && *p != ','; p++)
        ;
+    // invalid
+    if (*p == NUL)
+       return;
     *p = NUL;
 
     // check for an included tags file.

diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 5a946042be8491de96d062840aeebf154542e604..506e64f7aee00eac86bbb12f2f9c3b0b742b99b5 100644 (file)
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line()
   set tags&
 endfunc
 
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+  CheckFeature emacs_tags
+  let longline = repeat('a', 515)
+  call writefile([
+       \ "\x0c",
+       \ longline
+       \ ], 'Xtags', 'D')
+  set tags=Xtags
+
+  call assert_fails(':tag a', 'E426:')
+
+  set tags&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 3d969453bc38935c1077568edd7a16b819374b07..c44e31e5fa14c3e2ad2aa5b4d5714f34134ad029 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    74,
 /**/
     73,
 /**/