patch 8.0.1409: buffer overflow in :tags command

brammool · brammool · commit 132f75255ece · 2017-12-19T10:49:34.000+01:00
Problem:    Buffer overflow in :tags command.
Solution:   Use vim_snprintf(). (Dominique Pelle, closes #2471, closes #2475)
            Add a test.
diff --git a/src/tag.c b/src/tag.c
@@ -1130,7 +1130,7 @@ do_tags(exarg_T *eap UNUSED)
 		continue;
 
 	    msg_putchar('\n');
-	    sprintf((char *)IObuff, "%c%2d %2d %-15s %5ld  ",
+	    vim_snprintf((char *)IObuff, IOSIZE, "%c%2d %2d %-15s %5ld  ",
 		i == tagstackidx ? '>' : ' ',
 		i + 1,
 		tagstack[i].cur_match + 1,
diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
@@ -1,4 +1,4 @@
-" test 'taglist' function
+" test 'taglist' function and :tags command
 
 func Test_taglist()
   call writefile([
@@ -56,3 +56,8 @@ func Test_taglist_ctags_etags()
 
   call delete('Xtags')
 endfunc
+
+func Test_tags_too_long()
+  call assert_fails('tag ' . repeat('x', 1020), 'E426')
+  tags
+endfunc
diff --git a/src/version.c b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1409,
 /**/
     1408,
 /**/
