patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk Commit: https://github.com/vim/vim/commit/0fb375aae608d7306b4baf9c1f906961f32e2abf Author: Christian Brabandt <cb@256bit.org> Date: Wed Nov 29 10:23:39 2023 +0100 patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk Problem: [security]: buffer-overflow in suggest_trie_walk Solution: Check n before using it as index into byts array Basically, n as an index into the byts array, can point to beyond the byts array. So let's double check, that n is within the expected range after incrementing it from sp->ts_curi and bail out if it would be invalid. Reported by @henices, thanks! Signed-off-by: Christian Brabandt <cb@256bit.org>

|a+0&#ffffff0|w|o|r|d| @69
|t|e|s|a|w|o|r|d> @66
|~+0#4040ff13&| | +0#0000001#e0e0e08|w|r|d| @4|W| |e|x|t|r|a| |t|e|x|t| @1| +0#0000000#0000001| +0#0000001#e0e0e08|w|o|r|d|s| |a|r|e| @1| +0#4040ff13#ffffff0@36
|~| | +0#0000001#ffd7ff255|a|n|o|t|w|r|d| |W| |e|x|t|r|a| |t|e|x|t| @1| +0#0000000#0000001| +0#0000001#e0e0e08|c|o@1|l| @6| +0#4040ff13#ffffff0@36
|~| | +0#0000001#ffd7ff255|n|o|a|w|r|d| @1|W| |e|x|t|r|a| |t|e|x|t| @1| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@48
|~| @73
|~| @73
|~| @73
|~| @73
|~| @73
|~| @73
|~| @73
|~| @73
|-+2#0000000&@1| |U|s|e|r| |d|e|f|i|n|e|d| |c|o|m|p|l|e|t|i|o|n| |(|^|U|^|N|^|P|)| |m+0#00e0003&|a|t|c|h| |1| |o|f| |4| +0#0000000&@26