Commit: patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
3 views
Skip to first unread message
Christian Brabandt
Mar 5, 2025, 2:15:18 PM3/5/25
to vim...@googlegroups.com
patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
Commit: https://github.com/vim/vim/commit/3ed6659549e447ff00def8edc841321e497f70a8
Author: zeertzjq <zeer...@outlook.com>
Date: Wed Mar 5 20:05:18 2025 +0100
patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
Problem: heap-buffer-overflow with 'nostartofline' and Ex command in
tag file.
Solution: Set cursor column when moving cursor to line 1 (zeertzjq).
closes: #16796
Signed-off-by: zeertzjq <zeer...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tag.c b/src/tag.c
index 21ff5636a..f61f11674 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3997,6 +3997,8 @@ jumpto_tag(
++sandbox;
#endif
curwin->w_cursor.lnum = 1; // start command in line 1
+ curwin->w_cursor.col = 0;
+ curwin->w_cursor.coladd = 0;
do_cmdline_cmd(pbuf);
retval = OK;
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 67bd95fe1..e4b258c57 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -1633,4 +1633,21 @@ func Test_tag_guess_short()
set tags& cpoptions-=t
endfunc
+func Test_tag_excmd_with_nostartofline()
+ call writefile(["!_TAG_FILE_ENCODING utf-8 //",
+ \ "f Xfile ascii"],
+ \ 'Xtags', 'D')
+ call writefile(['f', 'foobar'], 'Xfile', 'D')
+
+ set nostartofline
+ new Xfile
+ setlocal tags=Xtags
+ normal! G$
+ " This used to cause heap-buffer-overflow
+ tag f
+
+ bwipe!
+ set startofline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index aac7ed1ae..cfb661e70 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1172,
/**/
1171,
/**/
Commit: https://github.com/vim/vim/commit/3ed6659549e447ff00def8edc841321e497f70a8
Author: zeertzjq <zeer...@outlook.com>
Date: Wed Mar 5 20:05:18 2025 +0100
patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file
Problem: heap-buffer-overflow with 'nostartofline' and Ex command in
tag file.
Solution: Set cursor column when moving cursor to line 1 (zeertzjq).
closes: #16796
Signed-off-by: zeertzjq <zeer...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tag.c b/src/tag.c
index 21ff5636a..f61f11674 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3997,6 +3997,8 @@ jumpto_tag(
++sandbox;
#endif
curwin->w_cursor.lnum = 1; // start command in line 1
+ curwin->w_cursor.col = 0;
+ curwin->w_cursor.coladd = 0;
do_cmdline_cmd(pbuf);
retval = OK;
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 67bd95fe1..e4b258c57 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -1633,4 +1633,21 @@ func Test_tag_guess_short()
set tags& cpoptions-=t
endfunc
+func Test_tag_excmd_with_nostartofline()
+ call writefile(["!_TAG_FILE_ENCODING utf-8 //",
+ \ "f Xfile ascii"],
+ \ 'Xtags', 'D')
+ call writefile(['f', 'foobar'], 'Xfile', 'D')
+
+ set nostartofline
+ new Xfile
+ setlocal tags=Xtags
+ normal! G$
+ " This used to cause heap-buffer-overflow
+ tag f
+
+ bwipe!
+ set startofline&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index aac7ed1ae..cfb661e70 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1172,
/**/
1171,
/**/
Reply all
Reply to author
Forward
0 new messages