Commit: patch 9.2.0293: :packadd may lead to heap-buffer-overflow

[Christian Brabandt]

patch 9.2.0293: :packadd may lead to heap-buffer-overflow

Commit: 
https://github.com/vim/vim/commit/bc182ae56eb71b94738aaa3bd607c32f584fc200
Author: zeertzjq <zeert...@outlook.com>
Date:   Sat Apr 4 08:32:33 2026 +0000

    patch 9.2.0293: :packadd may lead to heap-buffer-overflow
    
    Problem:  :packadd may lead to heap-buffer-overflow when all entries in
              'runtimepath' have the same length (after 9.2.0291).
    Solution: Check for comma after current entry properly (zeertzjq).
    
    related: #19854
    closes:  #19911
    
    Signed-off-by: zeertzjq <zeert...@outlook.com>
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/scriptfile.c b/src/scriptfile.c
index 6df5781a7..df90fe771 100644
--- a/src/scriptfile.c
+++ b/src/scriptfile.c
@@ -885,7 +885,7 @@ add_pack_dir_to_rtp(char_u *fname)
        buf.length = (size_t)copy_option_part(&entry, buf.string, MAXPATHL, 
",");
 
        // keep track of p_rtp length as we go to make the STRLEN() below have 
less work to do
-       p_rtp_len += (*(p_rtp + buf.length) == ',') ? buf.length + 1 : 
buf.length;
+       p_rtp_len += (*(cur_entry + buf.length) == ',') ? buf.length + 1 : 
buf.length;
 
        if ((p = (char_u *)strstr((char *)buf.string, "after")) != NULL
                && p > buf.string
diff --git a/src/testdir/test_packadd.vim b/src/testdir/test_packadd.vim
index cd7126a9d..6a368762a 100644
--- a/src/testdir/test_packadd.vim
+++ b/src/testdir/test_packadd.vim
@@ -26,6 +26,13 @@ func Test_packadd()
   " plugdir should be inserted before plugdir/after
   call assert_match('^nosuchdir,' . s:plugdir . ',', &rtp)
 
+  " This used to cause heep-buffer-overflow
+  " All existing entries in 'rtp' have the same length here
+  let &rtp = 'Xfoodir,Xbardir,Xbazdir'
+  packadd mytest
+  " plugdir should be inserted after the existing directories
+  call assert_match('^Xfoodir,Xbardir,Xbazdir,' .. s:plugdir .. ',', &rtp)
+
   set rtp&
   let rtp = &rtp
   filetype on
diff --git a/src/version.c b/src/version.c
index c9db272bb..50474f4ac 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    293,
 /**/
     292,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1w8wcq-003RVH-3E%40256bit.org.