aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-11-14 23:04:02 -05:00
Code Activity

patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk

Browse Source 
Problem:  [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array

Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.

Reported by @henices, thanks!

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-11-29 10:23:39 +01:00
parent eec0c2b3a4
commit 0fb375aae6
4 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/spellsuggest.c
View File

@@ -2175,6 +2175,13 @@ suggest_trie_walk(
// - Skip the byte if it's equal to the byte in the word,
// accepting that byte is always better.
n += sp->ts_curi++;
// break out, if we would be accessing byts buffer out of bounds
if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len)
{
got_int = TRUE;
break;
}
c = byts[n];
if (soundfold && sp->ts_twordlen == 0 && c == '*')
// Inserting a vowel at the start of a word counts less,