From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 30 Jul 2022 10:39:57 +0000 (+0100)
Subject: patch 9.0.0109: writing over the end of a buffer on stack
X-Git-Tag: v9.0.0109
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1eead4cf1daf87ee41aeb4de3b3e38708417f9d5;p=vim

patch 9.0.0109: writing over the end of a buffer on stack

Problem:    Writing over the end of a buffer on stack when making list of
            spell suggestions.
Solution:   Make sure suggested word is not too long. (closes #10812)
---

diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 8f9756534..cc70ca736 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -592,15 +592,17 @@ spell_suggest(int count)
 	msg_scroll = TRUE;
 	for (i = 0; i < sug.su_ga.ga_len; ++i)
 	{
+	    int el;
+
 	    stp = &SUG(sug.su_ga, i);
 
 	    // The suggested word may replace only part of the bad word, add
-	    // the not replaced part.
+	    // the not replaced part.  But only when it's not getting too long.
 	    vim_strncpy(wcopy, stp->st_word, MAXWLEN);
-	    if (sug.su_badlen > stp->st_orglen)
+	    el = sug.su_badlen - stp->st_orglen;
+	    if (el > 0 && stp->st_wordlen + el <= MAXWLEN)
 		vim_strncpy(wcopy + stp->st_wordlen,
-					       sug.su_badptr + stp->st_orglen,
-					      sug.su_badlen - stp->st_orglen);
+					   sug.su_badptr + stp->st_orglen, el);
 	    vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
 #ifdef FEAT_RIGHTLEFT
 	    if (cmdmsg_rl)
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index 07cb87af6..91ada1ed3 100644
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -819,5 +819,13 @@ func Test_check_empty_line()
   bwipe!
 endfunc
 
+func Test_spell_suggest_too_long()
+  " this was creating a word longer than MAXWLEN
+  new
+  call setline(1, 'a' .. repeat("\u0333", 150))
+  norm! z=
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 80bd894b0..cc642cc42 100644
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    109,
 /**/
     108,
 /**/