From: Markus Koschany Date: Sun, 6 Nov 2022 23:12:54 +0100 Subject: CVE-2022-2946 Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c --- src/tag.c | 9 ++++++++- src/testdir/test_tagcase.vim | 12 ++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) --- a/src/tag.c +++ b/src/tag.c @@ -146,6 +146,7 @@ do_tag( int attr; int use_tagstack; int skip_msg = FALSE; + char_u *tofree = NULL; char_u *buf_ffname = curbuf->b_ffname; /* name to use for priority computation */ @@ -486,7 +487,12 @@ do_tag( * When desired match not found yet, try to find it (and others). */ if (use_tagstack) - name = tagstack[tagstackidx].tagname; + { + // make a copy, the tagstack may change in 'tagfunc' + name = vim_strsave(tagstack[tagstackidx].tagname); + vim_free(tofree); + tofree = name; + } #if defined(FEAT_QUICKFIX) else if (g_do_tagpreview != 0) name = ptag_entry.tagname; @@ -1078,6 +1084,7 @@ end_do_tag: g_do_tagpreview = 0; /* don't do tag preview next time */ # endif + vim_free(tofree); #ifdef FEAT_CSCOPE return jumped_to_tag; #else