thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 9.0.0021: invalid memory access when adding word to spell word list

Browse Source 
Problem:    Invalid memory access when adding word with a control character to
            the internal spell word list.
Solution:   Disallow adding a word with control characters or a trailing
            slash.
This commit is contained in:
Bram Moolenaar
2022-07-01 22:26:20 +01:00
parent f12129f171
commit 5e59ea54c0
3 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/spellfile.c
View File

@@ -4366,6 +4366,23 @@ wordtree_alloc(spellinfo_T *spin)
return (wordnode_T *)getroom(spin, sizeof(wordnode_T), TRUE); return (wordnode_T *)getroom(spin, sizeof(wordnode_T), TRUE);
} }
/*
* Return TRUE if "word" contains valid word characters.
* Control characters and trailing '/' are invalid. Space is OK.
*/
static int
valid_spell_word(char_u *word)
{
char_u *p;
if (enc_utf8 && !utf_valid_string(word, NULL))
return FALSE;
for (p = word; *p != NUL; p += mb_ptr2len(p))
if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
return FALSE;
return TRUE;
}
/* /*
* Store a word in the tree(s). * Store a word in the tree(s).
* Always store it in the case-folded tree. For a keep-case word this is * Always store it in the case-folded tree. For a keep-case word this is
@@ -4391,7 +4408,7 @@ store_word(
char_u *p; char_u *p;
// Avoid adding illegal bytes to the word tree. // Avoid adding illegal bytes to the word tree.
if (enc_utf8 && !utf_valid_string(word, NULL)) if (!valid_spell_word(word))
return FAIL; return FAIL;
(void)spell_casefold(curwin, word, len, foldword, MAXWLEN); (void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
@@ -6194,7 +6211,7 @@ spell_add_word(
int i; int i;
char_u *spf; char_u *spf;
if (enc_utf8 && !utf_valid_string(word, NULL)) if (!valid_spell_word(word))
{ {
emsg(_(e_illegal_character_in_word)); emsg(_(e_illegal_character_in_word));
return; return;

15
src/testdir/test_spell.vim
View File

@@ -854,6 +854,21 @@ func Test_spellsuggest_too_deep()
bwipe! bwipe!
endfunc endfunc
func Test_spell_good_word_invalid()
" This was adding a word with a 0x02 byte, which causes havoc.
enew
norm o0
sil! norm rzzWs00/
2
sil! norm VzGprzzW
sil! norm z=
bwipe!
" clear the internal word list
set enc=latin1
set enc=utf-8
endfunc
func LoadAffAndDic(aff_contents, dic_contents) func LoadAffAndDic(aff_contents, dic_contents)
set enc=latin1 set enc=latin1
set spellfile= set spellfile=

2
src/version.c
View File

@@ -735,6 +735,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
21,
/**/ /**/
20, 20,
/**/ /**/