Commit: patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag file

Wed, 05 Mar 2025 11:15:17 -0800 

patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in tag 
file

Commit: 
https://github.com/vim/vim/commit/3ed6659549e447ff00def8edc841321e497f70a8
Author: zeertzjq <zeert...@outlook.com>
Date:   Wed Mar 5 20:05:18 2025 +0100

    patch 9.1.1172: [security]: overflow with 'nostartofline' and Ex command in 
tag file
    
    Problem:  heap-buffer-overflow with 'nostartofline' and Ex command in
              tag file.
    Solution: Set cursor column when moving cursor to line 1 (zeertzjq).
    
    closes: #16796
    
    Signed-off-by: zeertzjq <zeert...@outlook.com>
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/tag.c b/src/tag.c
index 21ff5636a..f61f11674 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -3997,6 +3997,8 @@ jumpto_tag(
            ++sandbox;
 #endif
            curwin->w_cursor.lnum = 1;          // start command in line 1
+           curwin->w_cursor.col = 0;
+           curwin->w_cursor.coladd = 0;
            do_cmdline_cmd(pbuf);
            retval = OK;
 
diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 67bd95fe1..e4b258c57 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -1633,4 +1633,21 @@ func Test_tag_guess_short()
   set tags& cpoptions-=t
 endfunc
 
+func Test_tag_excmd_with_nostartofline()
+  call writefile(["!_TAG_FILE_ENCODING utf-8   //",
+        \ "f   Xfile   ascii"],
+        \ 'Xtags', 'D')
+  call writefile(['f', 'foobar'], 'Xfile', 'D')
+
+  set nostartofline
+  new Xfile
+  setlocal tags=Xtags
+  normal! G$
+  " This used to cause heap-buffer-overflow
+  tag f
+
+  bwipe!
+  set startofline&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index aac7ed1ae..cfb661e70 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1172,
 /**/
     1171,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1tpuCz-00AXH1-VC%40256bit.org.

Raspunde prin e-mail lui