patch 8.2.1521: reading past end of buffer when reading spellfile

Problem:    Reading past end of buffer when reading spellfile. (Yegappan
            Lakshmanan)
Solution:   Store the byte length and check for it.

diff --git a/src/spell.h b/src/spell.h
index b444145be32e1cda7a55a87bd440f1f4c1cfac0d..7e4f813b46f49cdef0190e9496e6bd4e6cbed94e 100644 (file)
--- a/src/spell.h
+++ b/src/spell.h
@@ -66,6 +66,7 @@ struct slang_S
     int                sl_add;         // TRUE if it's a .add file.
 
     char_u     *sl_fbyts;      // case-folded word bytes
+    long       sl_fbyts_len;   // length of sl_fbyts
     idx_T      *sl_fidxs;      // case-folded word indexes
     char_u     *sl_kbyts;      // keep-case word bytes
     idx_T      *sl_kidxs;      // keep-case word indexes

diff --git a/src/spellfile.c b/src/spellfile.c
index 957be097a643a4e1bf5cc3d6f376968c7f1502b6..6aeac86b858477ffbadd414ea288bd09949be437 100644 (file)
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -315,7 +315,7 @@ static int read_compound(FILE *fd, slang_T *slang, int len);
 static int set_sofo(slang_T *lp, char_u *from, char_u *to);
 static void set_sal_first(slang_T *lp);
 static int *mb_str2wide(char_u *s);
-static int spell_read_tree(FILE *fd, char_u **bytsp, idx_T **idxsp, int prefixtree, int prefixcnt);
+static int spell_read_tree(FILE *fd, char_u **bytsp, long *bytsp_len, idx_T **idxsp, int prefixtree, int prefixcnt);
 static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx, idx_T startidx, int prefixtree, int maxprefcondnr);
 static void set_spell_charflags(char_u *flags, int cnt, char_u *upp);
 static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp);
@@ -553,17 +553,18 @@ truncerr:
     }
 
     // <LWORDTREE>
-    res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, FALSE, 0);
+    res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len,
+                                                     &lp->sl_fidxs, FALSE, 0);
     if (res != 0)
        goto someerror;
 
     // <KWORDTREE>
-    res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, FALSE, 0);
+    res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, FALSE, 0);
     if (res != 0)
        goto someerror;
 
     // <PREFIXTREE>
-    res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, TRUE,
+    res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, TRUE,
                                                            lp->sl_prefixcnt);
     if (res != 0)
        goto someerror;
@@ -737,7 +738,7 @@ suggest_load_files(void)
             * <SUGWORDTREE>: <wordtree>
             * Read the trie with the soundfolded words.
             */
-           if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs,
+           if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs,
                                                               FALSE, 0) != 0)
            {
 someerror:
@@ -1572,6 +1573,7 @@ mb_str2wide(char_u *s)
 spell_read_tree(
     FILE       *fd,
     char_u     **bytsp,
+    long       *bytsp_len,
     idx_T      **idxsp,
     int                prefixtree,     // TRUE for the prefix tree
     int                prefixcnt)      // when "prefixtree" is TRUE: prefix count
@@ -1596,6 +1598,8 @@ spell_read_tree(
        if (bp == NULL)
            return SP_OTHERERROR;
        *bytsp = bp;
+       if (bytsp_len != NULL)
+           *bytsp_len = len;
 
        // Allocate the index array.
        ip = lalloc_clear(len * sizeof(int), TRUE);
@@ -5609,8 +5613,8 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
                spin->si_blocks_cnt = 0;
 
                // Skip over any other NUL bytes (same word with different
-               // flags).
-               while (byts[n + 1] == 0)
+               // flags).  But don't go over the end.
+               while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0)
                {
                    ++n;
                    ++curi[depth];

diff --git a/src/version.c b/src/version.c
index 41e91880cdf58aa26b955b5096e603ddb559c2fe..4560103d96ed528ad3fb41a2909626f162d9962b 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1521,
 /**/
     1520,
 /**/