patch 8.0.1409: buffer overflow in :tags command

Problem:    Buffer overflow in :tags command.
Solution:   Use vim_snprintf(). (Dominique Pelle, closes #2471, closes #2475)
            Add a test.

diff --git a/src/tag.c b/src/tag.c
index 0233822c1d0303754f10f69db226ab4c668d046c..3d18a41ebbd28dd767eb64fc8930f60517145a66 100644 (file)
--- a/src/tag.c
+++ b/src/tag.c
@@ -1130,7 +1130,7 @@ do_tags(exarg_T *eap UNUSED)
                continue;
 
            msg_putchar('\n');
-           sprintf((char *)IObuff, "%c%2d %2d %-15s %5ld  ",
+           vim_snprintf((char *)IObuff, IOSIZE, "%c%2d %2d %-15s %5ld  ",
                i == tagstackidx ? '>' : ' ',
                i + 1,
                tagstack[i].cur_match + 1,

diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
index 2d1557ebd9398c84a63c2d543876043bed62dfc2..3ad2025915ab627dd0d9cb9688555a4f8cbe576f 100644 (file)
--- a/src/testdir/test_taglist.vim
+++ b/src/testdir/test_taglist.vim
@@ -1,4 +1,4 @@
-" test 'taglist' function
+" test 'taglist' function and :tags command
 
 func Test_taglist()
   call writefile([
@@ -56,3 +56,8 @@ func Test_taglist_ctags_etags()
 
   call delete('Xtags')
 endfunc
+
+func Test_tags_too_long()
+  call assert_fails('tag ' . repeat('x', 1020), 'E426')
+  tags
+endfunc

diff --git a/src/version.c b/src/version.c
index ed86ef603465b57f6bef2fdf50e7f4e22985fd43..97f0d66ca9ddeb000c352feb1060a5744dbf786d 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1409,
 /**/
     1408,
 /**/