From: zeertzjq Date: Sat, 4 Apr 2026 08:32:33 +0000 (+0000) Subject: patch 9.2.0293: :packadd may lead to heap-buffer-overflow X-Git-Tag: v9.2.0293^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bc182ae56eb71b94738aaa3bd607c32f584fc200;p=thirdparty%2Fvim.git patch 9.2.0293: :packadd may lead to heap-buffer-overflow Problem: :packadd may lead to heap-buffer-overflow when all entries in 'runtimepath' have the same length (after 9.2.0291). Solution: Check for comma after current entry properly (zeertzjq). related: #19854 closes: #19911 Signed-off-by: zeertzjq Signed-off-by: Christian Brabandt --- diff --git a/src/scriptfile.c b/src/scriptfile.c index 6df5781a73..df90fe7711 100644 --- a/src/scriptfile.c +++ b/src/scriptfile.c @@ -885,7 +885,7 @@ add_pack_dir_to_rtp(char_u *fname) buf.length = (size_t)copy_option_part(&entry, buf.string, MAXPATHL, ","); // keep track of p_rtp length as we go to make the STRLEN() below have less work to do - p_rtp_len += (*(p_rtp + buf.length) == ',') ? buf.length + 1 : buf.length; + p_rtp_len += (*(cur_entry + buf.length) == ',') ? buf.length + 1 : buf.length; if ((p = (char_u *)strstr((char *)buf.string, "after")) != NULL && p > buf.string diff --git a/src/testdir/test_packadd.vim b/src/testdir/test_packadd.vim index cd7126a9db..6a368762a9 100644 --- a/src/testdir/test_packadd.vim +++ b/src/testdir/test_packadd.vim @@ -26,6 +26,13 @@ func Test_packadd() " plugdir should be inserted before plugdir/after call assert_match('^nosuchdir,' . s:plugdir . ',', &rtp) + " This used to cause heep-buffer-overflow + " All existing entries in 'rtp' have the same length here + let &rtp = 'Xfoodir,Xbardir,Xbazdir' + packadd mytest + " plugdir should be inserted after the existing directories + call assert_match('^Xfoodir,Xbardir,Xbazdir,' .. s:plugdir .. ',', &rtp) + set rtp& let rtp = &rtp filetype on diff --git a/src/version.c b/src/version.c index c9db272bbb..50474f4ac5 100644 --- a/src/version.c +++ b/src/version.c @@ -734,6 +734,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 293, /**/ 292, /**/