From: Kaixuan Li <kaixuanli0131@gmail.com>
Date: Tue, 17 Mar 2026 19:07:53 +0000 (+0000)
Subject: patch 9.2.0186: heap buffer overflow with long generic function name
X-Git-Tag: v9.2.0186^0
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f9bed026acb6e9222d93098f4cb96b2595fadbbe;p=thirdparty%2Fvim.git

patch 9.2.0186: heap buffer overflow with long generic function name

Problem:   Using a long generic function name may cause a heap buffer
           overflow in common_function().
Solution:  Allocate memory for the full name instead of using IObuff
           (Kaixuan Li).

closes: #19727

Signed-off-by: Kaixuan Li <kaixuanli0131@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/evalfunc.c b/src/evalfunc.c
index 6d40794c05..f790aa826a 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5436,9 +5436,13 @@ common_function(typval_T *argvars, typval_T *rettv, int is_funcref)
 	    else
 	    {
 		// generic function
-		STRCPY(IObuff, name);
-		STRCAT(IObuff, start_bracket);
-		rettv->vval.v_string = vim_strsave(IObuff);
+		size_t len = STRLEN(name) + STRLEN(start_bracket);
+		rettv->vval.v_string = alloc(len + 1);
+		if (rettv->vval.v_string != NULL)
+		{
+		    STRCPY(rettv->vval.v_string, name);
+		    STRCAT(rettv->vval.v_string, start_bracket);
+		}
 		vim_free(name);
 	    }
 	}
diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
index a79c682791..9248c5d6bc 100644
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -7689,6 +7689,19 @@ func Test_catch_pattern_trailing_chars()
   bw!
 endfunc
 
+" Test for long gerneric type name {{{1
+func Test_function_long_generic_name()
+  func TestFunc()
+    return
+  endfunc
+
+  let name = 'TestFunc<' .. repeat('T', 1100) .. '>'
+
+  call function(name)
+  call funcref(name)
+  delfunc TestFunc
+endfunc
+
 "-------------------------------------------------------------------------------
 " Modelines								    {{{1
 " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker
diff --git a/src/version.c b/src/version.c
index 1f2cf0ec24..05bc54c3a5 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    186,
 /**/
     185,
 /**/