Vim Heap Buffer Overflow Vulnerability in Helpfile Option Processing

A heap buffer overflow vulnerability has been identified in Vim's tag file resolution logic, specifically in versions prior to 9.1.2132. The issue arises in the get_tagfname() function within src/tag.c, where user-controlled input from the 'helpfile' option is copied into a fixed-size heap buffer of MAXPATHL + 1 bytes using an unsafe STRCPY() operation, without proper bounds checking. This vulnerability is triggered when the 'helpfile' option is set to a string longer than MAXPATHL, leading to heap memory corruption.

Impact

Exploitation of this vulnerability causes immediate application crashes due to heap corruption. However, it also allows overwriting of adjacent heap allocations and metadata, with the potential for arbitrary code execution, depending on the heap layout and exploitation techniques used.

Reproduction

The vulnerability can be reproduced by setting the 'helpfile' option to a value exceeding MAXPATHL bytes, then executing the ':help' command. This triggers the vulnerable get_tagfname() function, where the unchecked STRCPY() operation overflows the heap-allocated buffer.

Remediation

Users can update to Vim version 9.1.2132 or later, where this vulnerability has been patched.