changeset 29102:fd9006d6ddcf v8.2.5072

patch 8.2.5072: using uninitialized value and freed memory in spell command Commit: https://github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835 Author: Bram Moolenaar <Bram@vim.org> Date: Thu Jun 9 19:54:24 2022 +0100 patch 8.2.5072: using uninitialized value and freed memory in spell command Problem: Using uninitialized value and freed memory in spell command. Solution: Initialize "attr". Check for empty line early.
author Bram Moolenaar <Bram@vim.org>
date Thu, 09 Jun 2022 21:00:04 +0200
parents 66edb33d194b
children 6ecf51abe41c
files src/spell.c src/testdir/test_spell_utf8.vim src/version.c
diffstat 3 files changed, 24 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/spell.c
+++ b/src/spell.c
@@ -1275,7 +1275,7 @@ spell_move_to(
     char_u	*line;
     char_u	*p;
     char_u	*endp;
-    hlf_T	attr;
+    hlf_T	attr = 0;
     int		len;
 #ifdef FEAT_SYN_HL
     int		has_syntax = syntax_present(wp);
@@ -1308,6 +1308,8 @@ spell_move_to(
 
     while (!got_int)
     {
+	int empty_line;
+
 	line = ml_get_buf(wp->w_buffer, lnum, FALSE);
 
 	len = (int)STRLEN(line);
@@ -1340,7 +1342,9 @@ spell_move_to(
 	}
 
 	// Copy the line into "buf" and append the start of the next line if
-	// possible.
+	// possible.  Note: this ml_get_buf() may make "line" invalid, check
+	// for empty line first.
+	empty_line = *skipwhite(line) == NUL;
 	STRCPY(buf, line);
 	if (lnum < wp->w_buffer->b_ml.ml_line_count)
 	    spell_cat_line(buf + STRLEN(buf),
@@ -1487,7 +1491,7 @@ spell_move_to(
 	    --capcol;
 
 	    // But after empty line check first word in next line
-	    if (*skipwhite(line) == NUL)
+	    if (empty_line)
 		capcol = 0;
 	}
 
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -802,5 +802,20 @@ func Test_word_index()
   call delete('Xtmpfile')
 endfunc
 
+func Test_check_empty_line()
+  " This was using freed memory
+  enew
+  spellgood! fl
+  norm z=
+  norm yy
+  sil! norm P]svc
+  norm P]s
+
+  " set 'encoding' to clear the wordt list
+  set enc=latin1
+  set enc=utf-8
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    5072,
+/**/
     5071,
 /**/
     5070,