vim-patch:8.2.5072: using uninitialized value and freed memory in spell command

Problem:    Using uninitialized value and freed memory in spell command.
Solution:   Initialize "attr".  Check for empty line early.
https://github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835

2 files changed, 19 insertions, 2 deletions

diff --git a/src/nvim/spell.c b/src/nvim/spell.c
index 1cefc532aa..0fedd27037 100644
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@@ -1469,7 +1469,9 @@ size_t spell_move_to(win_T *wp, int dir, bool allwords, bool curline, hlf_T *att
     }
 
     // Copy the line into "buf" and append the start of the next line if
-    // possible.
+    // possible.  Note: this ml_get_buf() may make "line" invalid, check
+    // for empty line first.
+    bool empty_line = *skipwhite((const char *)line) == NUL;
     STRCPY(buf, line);
     if (lnum < wp->w_buffer->b_ml.ml_line_count) {
       spell_cat_line(buf + STRLEN(buf),
@@ -1613,7 +1615,7 @@ size_t spell_move_to(win_T *wp, int dir, bool allwords, bool curline, hlf_T *att
       --capcol;
 
       // But after empty line check first word in next line
-      if (*skipwhite((char *)line) == NUL) {
+      if (empty_line) {
         capcol = 0;
       }
     }
diff --git a/src/nvim/testdir/test_spell_utf8.vim b/src/nvim/testdir/test_spell_utf8.vim
index 3d240a8f2c..7ee001c090 100644
--- a/src/nvim/testdir/test_spell_utf8.vim
+++ b/src/nvim/testdir/test_spell_utf8.vim
@@ -808,5 +808,20 @@ func Test_word_index()
   call delete('Xtmpfile')
 endfunc
 
+func Test_check_empty_line()
+  " This was using freed memory
+  enew
+  spellgood! fl
+  norm z=
+  norm yy
+  sil! norm P]svc
+  norm P]s
+
+  " set 'encoding' to clear the wordt list
+  set enc=latin1
+  set enc=utf-8
+  bwipe!
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab