vim-patch:8.2.1521: reading past end of buffer when reading spellfile

Problem:    Reading past end of buffer when reading spellfile. (Yegappan
            Lakshmanan)
Solution:   Store the byte length and check for it.
https://github.com/vim/vim/commit/07399e7f078729b03451ba2b342d0cb434ab75cf

2 files changed, 23 insertions, 13 deletions

diff --git a/src/nvim/spell_defs.h b/src/nvim/spell_defs.h
index 034c580b3e..05667f060e 100644
--- a/src/nvim/spell_defs.h
+++ b/src/nvim/spell_defs.h
@@ -119,6 +119,7 @@ struct slang_S {
   bool sl_add;                  // true if it's a .add file.
 
   char_u      *sl_fbyts;        // case-folded word bytes
+  long        sl_fbyts_len;     // length of sl_fbyts
   idx_T       *sl_fidxs;        // case-folded word indexes
   char_u      *sl_kbyts;        // keep-case word bytes
   idx_T       *sl_kidxs;        // keep-case word indexes
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
index 09d8646c6d..b415a4635b 100644
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -764,20 +764,24 @@ truncerr:
   }
 
   // <LWORDTREE>
-  res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, false, 0);
-  if (res != 0)
+  res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len,
+                        &lp->sl_fidxs, false, 0);
+  if (res != 0) {
     goto someerror;
+  }
 
   // <KWORDTREE>
-  res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, false, 0);
-  if (res != 0)
+  res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, false, 0);
+  if (res != 0) {
     goto someerror;
+  }
 
   // <PREFIXTREE>
-  res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, true,
-      lp->sl_prefixcnt);
-  if (res != 0)
+  res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, true,
+                        lp->sl_prefixcnt);
+  if (res != 0) {
     goto someerror;
+  }
 
   // For a new file link it in the list of spell files.
   if (old_lp == NULL && lang != NULL) {
@@ -920,8 +924,8 @@ void suggest_load_files(void)
 
       // <SUGWORDTREE>: <wordtree>
       // Read the trie with the soundfolded words.
-      if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs,
-              false, 0) != 0) {
+      if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs,
+                          false, 0) != 0) {
 someerror:
         EMSG2(_("E782: error while reading .sug file: %s"),
             slang->sl_fname);
@@ -1630,10 +1634,12 @@ static int
 spell_read_tree (
     FILE *fd,
     char_u **bytsp,
+    long *bytsp_len,
     idx_T **idxsp,
     bool prefixtree,               // true for the prefix tree
     int prefixcnt                  // when "prefixtree" is true: prefix count
 )
+  FUNC_ATTR_NONNULL_ARG(1, 2, 4)
 {
   int idx;
   char_u      *bp;
@@ -1653,6 +1659,9 @@ spell_read_tree (
     // Allocate the byte array.
     bp = xmalloc(len);
     *bytsp = bp;
+    if (bytsp_len != NULL) {
+      *bytsp_len = len;
+    }
 
     // Allocate the index array.
     ip = xcalloc(len, sizeof(*ip));
@@ -4850,10 +4859,10 @@ static int sug_filltree(spellinfo_T *spin, slang_T *slang)
         spin->si_blocks_cnt = 0;
 
         // Skip over any other NUL bytes (same word with different
-        // flags).
-        while (byts[n + 1] == 0) {
-          ++n;
-          ++curi[depth];
+        // flags).  But don't go over the end.
+        while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0) {
+          n++;
+          curi[depth]++;
         }
       } else {
         // Normal char, go one level deeper.