Vim Heap-Based Buffer Overflow Vulnerability in Emacs Tags Parsing

A heap-based buffer overflow vulnerability allowing out-of-bounds reads has been identified in Vim versions prior to 9.2.0074. This issue arises in the Emacs-style tags file parsing logic, specifically within the 'emacs_tags_new_filename()' function. When Vim processes a malformed tags file, it can be manipulated into reading up to 7 bytes beyond the allocated memory limit. The vulnerability occurs because the code incorrectly assumes that a comma delimiter has been found, leading to unauthorized access of memory immediately after the buffer boundary. This out-of-bounds read can cause Vim to crash, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a crash, disrupting the normal operation of Vim. However, it is important to note that this vulnerability does not allow for arbitrary code execution or other more severe impacts.

Reproduction

To reproduce this vulnerability, create a malformed Emacs tags file that includes a line exceeding 512 bytes without a comma delimiter. When this file is loaded in Vim and a tag lookup is performed, Vim will crash due to the out-of-bounds read.

Remediation

Users can upgrade to Vim version 9.2.0074 or later, where this vulnerability has been fixed.