]> granicus.if.org Git - vim/commitdiff
projects / vim / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5f6cae8)
patch 9.0.0109: writing over the end of a buffer on stack v9.0.0109
authorBram Moolenaar <Bram@vim.org>
Sat, 30 Jul 2022 10:39:57 +0000 (11:39 +0100)
committerBram Moolenaar <Bram@vim.org>
Sat, 30 Jul 2022 10:39:57 +0000 (11:39 +0100)
Problem:    Writing over the end of a buffer on stack when making list of
            spell suggestions.
Solution:   Make sure suggested word is not too long. (closes #10812)

src/spellsuggest.c patch | blob | history
src/testdir/test_spell_utf8.vim patch | blob | history
src/version.c patch | blob | history

diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 8f9756534fa2e5740e29dca8bcd20fdca0c275f4..cc70ca7361998f23da25b6e0fc199e02ebf534e6 100644 (file)
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -592,15 +592,17 @@ spell_suggest(int count)
        msg_scroll = TRUE;
        for (i = 0; i < sug.su_ga.ga_len; ++i)
        {
+           int el;
+
            stp = &SUG(sug.su_ga, i);
 
            // The suggested word may replace only part of the bad word, add
-           // the not replaced part.
+           // the not replaced part.  But only when it's not getting too long.
            vim_strncpy(wcopy, stp->st_word, MAXWLEN);
-           if (sug.su_badlen > stp->st_orglen)
+           el = sug.su_badlen - stp->st_orglen;
+           if (el > 0 && stp->st_wordlen + el <= MAXWLEN)
                vim_strncpy(wcopy + stp->st_wordlen,
-                                              sug.su_badptr + stp->st_orglen,
-                                             sug.su_badlen - stp->st_orglen);
+                                          sug.su_badptr + stp->st_orglen, el);
            vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
 #ifdef FEAT_RIGHTLEFT
            if (cmdmsg_rl)
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index 07cb87af6ce99d8946e79b4b05ea506aa14a5f9b..91ada1ed38698ee655ff1a7f78c16d9687a455cf 100644 (file)
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -819,5 +819,13 @@ func Test_check_empty_line()
   bwipe!
 endfunc
 
+func Test_spell_suggest_too_long()
+  " this was creating a word longer than MAXWLEN
+  new
+  call setline(1, 'a' .. repeat("\u0333", 150))
+  norm! z=
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 80bd894b07795db1b458d16c5a5ec5c8d165e88c..cc642cc42cecd4ca6a69a9ce5de31cfdaff3e685 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    109,
 /**/
     108,
 /**/
Unnamed repository; edit this file 'description' to name the repository.