Vim Heap-Based Buffer Underflow Vulnerability in Emacs Tags Parsing

A heap-based buffer underflow vulnerability has been identified in Vim's Emacs-style tags file parsing logic, affecting versions prior to 9.2.0075. The issue arises when Vim processes a malformed tags file with a delimiter at the start of a line, leading the application to read memory just before the allocated buffer. This vulnerability is located in the 'emacs_tags_parse_line()' function within 'src/tag.c'. The flaw allows for a 1-byte out-of-bounds read, which can cause a crash, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a 1-byte out-of-bounds read, leading to a crash and denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a malformed Emacs tags file with a delimiter at the beginning of a line. Then, perform a tag lookup in Vim with this crafted tags file. The improper parsing will trigger the buffer underflow, causing Vim to crash.

Remediation

Users can upgrade to Vim version 9.2.0075 or later to address this vulnerability.