Commit: patch 9.2.0074: [security]: Crash with overlong emacs tag file
1 view
Skip to first unread message
Christian Brabandt
Feb 27, 2026, 4:16:51 PM (5 days ago) Feb 27
to vim...@googlegroups.com
patch 9.2.0074: [security]: Crash with overlong emacs tag file
Commit: https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d
Author: Christian Brabandt <c...@256bit.org>
Date: Mon Feb 23 18:30:11 2026 +0000
patch 9.2.0074: [security]: Crash with overlong emacs tag file
Problem: Crash with overlong emacs tag file, because of an OOB buffer
read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tag.c b/src/tag.c
index 6968aac27..4e0cb9a6c 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -1901,6 +1901,9 @@ emacs_tags_new_filename(findtags_state_T *st)
for (p = st->ebuf; *p && *p != ','; p++)
;
+ // invalid
+ if (*p == NUL)
+ return;
*p = NUL;
// check for an included tags file.
diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 5a946042b..506e64f7a 100644
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line()
set tags&
endfunc
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+ CheckFeature emacs_tags
+ let longline = repeat('a', 515)
+ call writefile([
+ \ "\x0c",
+ \ longline
+ \ ], 'Xtags', 'D')
+ set tags=Xtags
+
+ call assert_fails(':tag a', 'E426:')
+
+ set tags&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 3d969453b..c44e31e5f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 74,
/**/
73,
/**/
Commit: https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d
Author: Christian Brabandt <c...@256bit.org>
Date: Mon Feb 23 18:30:11 2026 +0000
patch 9.2.0074: [security]: Crash with overlong emacs tag file
Problem: Crash with overlong emacs tag file, because of an OOB buffer
read (ehdgks0627, un3xploitable)
Solution: Check for end of buffer and return early.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tag.c b/src/tag.c
index 6968aac27..4e0cb9a6c 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -1901,6 +1901,9 @@ emacs_tags_new_filename(findtags_state_T *st)
for (p = st->ebuf; *p && *p != ','; p++)
;
+ // invalid
+ if (*p == NUL)
+ return;
*p = NUL;
// check for an included tags file.
diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 5a946042b..506e64f7a 100644
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -301,4 +301,19 @@ func Test_tag_complete_with_overlong_line()
set tags&
endfunc
+" This used to crash Vim
+func Test_evil_emacs_tagfile()
+ CheckFeature emacs_tags
+ let longline = repeat('a', 515)
+ call writefile([
+ \ "\x0c",
+ \ longline
+ \ ], 'Xtags', 'D')
+ set tags=Xtags
+
+ call assert_fails(':tag a', 'E426:')
+
+ set tags&
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 3d969453b..c44e31e5f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 74,
/**/
73,
/**/
Reply all
Reply to author
Forward
0 new messages