Commit: patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling
3 views
Skip to first unread message
Christian Brabandt
Feb 5, 2026, 2:16:32 PM (12 days ago) Feb 5
to vim...@googlegroups.com
patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling
Commit: https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Feb 5 18:51:54 2026 +0000
patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling
Problem: [security]: buffer-overflow in 'helpfile' option handling by
using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 52121472a..64c0882ba 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52474,8 +52474,12 @@ Solution: Fix incorrect return value of pagescroll(). Also invert the
match comments (zeertzjq).
Patch 9.1.2131
-
Problem: tests: Test_diff_screen() fails on BSD
Solution: Use gdiff on BSD systems if available (zeertzjq).
+Patch 9.1.2132
+Problem: [security]: buffer-overflow in 'helpfile' option handling by
+ using strcpy without bound checks (Rahul Hoysala)
+Solution: Limit strncpy to the length of the buffer (MAXPATHL)
+
vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c
index 07890943f..78e7c80a1 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
return FAIL;
++tnp->tn_hf_idx;
- STRCPY(buf, p_hf);
+ vim_strncpy(buf, p_hf, MAXPATHL - 1);
STRCPY(gettail(buf), "tags");
#ifdef BACKSLASH_IN_FILENAME
slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index df2b0c0ab..d30ef17b0 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -275,4 +275,13 @@ func Test_help_command_termination()
helpclose
endfunc
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+ let _helpfile = &helpfile
+ let &helpfile = repeat('A', 5000)
+ help
+ helpclose
+ let &helpfile = _helpfile
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c42ad8c03..88c82b78b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2132,
/**/
2131,
/**/
Commit: https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Feb 5 18:51:54 2026 +0000
patch 9.1.2132: [security]: buffer-overflow in 'helpfile' option handling
Problem: [security]: buffer-overflow in 'helpfile' option handling by
using strcpy without bound checks (Rahul Hoysala)
Solution: Limit strncpy to the length of the buffer (MAXPATHL)
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/runtime/doc/version9.txt b/runtime/doc/version9.txt
index 52121472a..64c0882ba 100644
--- a/runtime/doc/version9.txt
+++ b/runtime/doc/version9.txt
@@ -52474,8 +52474,12 @@ Solution: Fix incorrect return value of pagescroll(). Also invert the
match comments (zeertzjq).
Patch 9.1.2131
-
Problem: tests: Test_diff_screen() fails on BSD
Solution: Use gdiff on BSD systems if available (zeertzjq).
+Patch 9.1.2132
+Problem: [security]: buffer-overflow in 'helpfile' option handling by
+ using strcpy without bound checks (Rahul Hoysala)
+Solution: Limit strncpy to the length of the buffer (MAXPATHL)
+
vim:tw=78:ts=8:noet:ft=help:norl:fdm=manual:nofoldenable
diff --git a/src/tag.c b/src/tag.c
index 07890943f..78e7c80a1 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3347,7 +3347,7 @@ get_tagfname(
if (tnp->tn_hf_idx > tag_fnames.ga_len || *p_hf == NUL)
return FAIL;
++tnp->tn_hf_idx;
- STRCPY(buf, p_hf);
+ vim_strncpy(buf, p_hf, MAXPATHL - 1);
STRCPY(gettail(buf), "tags");
#ifdef BACKSLASH_IN_FILENAME
slash_adjust(buf);
diff --git a/src/testdir/test_help.vim b/src/testdir/test_help.vim
index df2b0c0ab..d30ef17b0 100644
--- a/src/testdir/test_help.vim
+++ b/src/testdir/test_help.vim
@@ -275,4 +275,13 @@ func Test_help_command_termination()
helpclose
endfunc
+" This caused a buffer overflow
+func Test_helpfile_overflow()
+ let _helpfile = &helpfile
+ let &helpfile = repeat('A', 5000)
+ help
+ helpclose
+ let &helpfile = _helpfile
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index c42ad8c03..88c82b78b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2132,
/**/
2131,
/**/
Reply all
Reply to author
Forward
0 new messages