patch 8.2.5072: using uninitialized value and freed memory in spell command

Problem:    Using uninitialized value and freed memory in spell command.
Solution:   Initialize "attr".  Check for empty line early.

diff --git a/src/spell.c b/src/spell.c
index 48a2203e3f042b933b9885e870d7a330522ec441..d866a2df7265c126ff859f43ab854981cba7701e 100644 (file)
--- a/src/spell.c
+++ b/src/spell.c
@@ -1275,7 +1275,7 @@ spell_move_to(
     char_u     *line;
     char_u     *p;
     char_u     *endp;
-    hlf_T      attr;
+    hlf_T      attr = 0;
     int                len;
 #ifdef FEAT_SYN_HL
     int                has_syntax = syntax_present(wp);
@@ -1308,6 +1308,8 @@ spell_move_to(
 
     while (!got_int)
     {
+       int empty_line;
+
        line = ml_get_buf(wp->w_buffer, lnum, FALSE);
 
        len = (int)STRLEN(line);
@@ -1340,7 +1342,9 @@ spell_move_to(
        }
 
        // Copy the line into "buf" and append the start of the next line if
-       // possible.
+       // possible.  Note: this ml_get_buf() may make "line" invalid, check
+       // for empty line first.
+       empty_line = *skipwhite(line) == NUL;
        STRCPY(buf, line);
        if (lnum < wp->w_buffer->b_ml.ml_line_count)
            spell_cat_line(buf + STRLEN(buf),
@@ -1487,7 +1491,7 @@ spell_move_to(
            --capcol;
 
            // But after empty line check first word in next line
-           if (*skipwhite(line) == NUL)
+           if (empty_line)
                capcol = 0;
        }
 

diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index ef08f953521c79cd2d63b96605c7698a4427f670..f9f85a63ae99f8c77bc845dc12af1d110f2a0f77 100644 (file)
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -802,5 +802,20 @@ func Test_word_index()
   call delete('Xtmpfile')
 endfunc
 
+func Test_check_empty_line()
+  " This was using freed memory
+  enew
+  spellgood! fl
+  norm z=
+  norm yy
+  sil! norm P]svc
+  norm P]s
+
+  " set 'encoding' to clear the wordt list
+  set enc=latin1
+  set enc=utf-8
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index ebfd0d45feef0b89094807cd2c478a898d346055..8f5a4ff71b607dd0c2093f563ce3cae6502c42e1 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    5072,
 /**/
     5071,
 /**/