Mercurial > vim
changeset 29536:6d93f09815c1 v9.0.0109
patch 9.0.0109: writing over the end of a buffer on stack
Commit: https://github.com/vim/vim/commit/1eead4cf1daf87ee41aeb4de3b3e38708417f9d5
Author: Bram Moolenaar <Bram@vim.org>
Date: Sat Jul 30 11:39:57 2022 +0100
patch 9.0.0109: writing over the end of a buffer on stack
Problem: Writing over the end of a buffer on stack when making list of
spell suggestions.
Solution: Make sure suggested word is not too long. (closes #10812)
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Sat, 30 Jul 2022 12:45:02 +0200 |
| parents | 0dea4955e34b |
| children | a61fbf5cc251 |
| files | src/spellsuggest.c src/testdir/test_spell_utf8.vim src/version.c |
| diffstat | 3 files changed, 16 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/spellsuggest.c +++ b/src/spellsuggest.c @@ -592,15 +592,17 @@ spell_suggest(int count) msg_scroll = TRUE; for (i = 0; i < sug.su_ga.ga_len; ++i) { + int el; + stp = &SUG(sug.su_ga, i); // The suggested word may replace only part of the bad word, add - // the not replaced part. + // the not replaced part. But only when it's not getting too long. vim_strncpy(wcopy, stp->st_word, MAXWLEN); - if (sug.su_badlen > stp->st_orglen) + el = sug.su_badlen - stp->st_orglen; + if (el > 0 && stp->st_wordlen + el <= MAXWLEN) vim_strncpy(wcopy + stp->st_wordlen, - sug.su_badptr + stp->st_orglen, - sug.su_badlen - stp->st_orglen); + sug.su_badptr + stp->st_orglen, el); vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1); #ifdef FEAT_RIGHTLEFT if (cmdmsg_rl)
--- a/src/testdir/test_spell_utf8.vim +++ b/src/testdir/test_spell_utf8.vim @@ -819,5 +819,13 @@ func Test_check_empty_line() bwipe! endfunc +func Test_spell_suggest_too_long() + " this was creating a word longer than MAXWLEN + new + call setline(1, 'a' .. repeat("\u0333", 150)) + norm! z= + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab