Problem: When parsing a malformed Emacs-style tags file, a 1-byte
heap-buffer-underflow read occurs if the 0x7f delimiter
appears at the very beginning of a line. This happens
because the code attempts to scan backward for a tag
name from the delimiter without checking if space exists.
(ehdgks0627, un3xploitable)
Solution: Add a check to ensure the delimiter (p_7f) is not at the
start of the buffer (lbuf) before attempting to isolate
the tag name.
GitHub Advisory:
https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv
Signed-off-by: Christian Brabandt <cb@256bit.org>
}
else // second format: isolate tagname
{
+ if (p_7f == lbuf)
+ goto etag_fail;
+
// find end of tagname
for (p = p_7f - 1; !vim_iswordc(*p); --p)
if (p == lbuf)
set tags&
endfunc
+" This used to crash Vim due to a heap-buffer-underflow
+func Test_emacs_tagfile_underflow()
+ CheckFeature emacs_tags
+ " The sequence from the crash artifact:
+ let lines = [
+ \ "\x0c\xff\xffT\x19\x8a",
+ \ "\x19\x19\x0dtags\x19\x19\x19\x00\xff\xff\xff",
+ \ "\x7f3\x0c"
+ \ ]
+ call writefile(lines, 'Xtags', 'D')
+ set tags=Xtags
+ call assert_fails(':tag a', 'E431:')
+
+ set tags&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 75,
/**/
74,
/**/
projects / thirdparty / vim.git / commitdiff
