aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzeertzjq <zeertzjq@outlook.com>2022-07-02 06:37:28 +0800
committerzeertzjq <zeertzjq@outlook.com>2022-07-02 06:55:23 +0800
commit998a96803b32dada4da26d0dc7a636f99319f0e6 (patch)
tree2747b76d2e1efc57828bb837b046ea0300c20316
parent0b15c019124965920c5f2df8c8ee75cd46311d27 (diff)
downloadrneovim-998a96803b32dada4da26d0dc7a636f99319f0e6.tar.gz
rneovim-998a96803b32dada4da26d0dc7a636f99319f0e6.tar.bz2
rneovim-998a96803b32dada4da26d0dc7a636f99319f0e6.zip
vim-patch:9.0.0021: invalid memory access when adding word to spell word list
Problem: Invalid memory access when adding word with a control character to the internal spell word list. Solution: Disallow adding a word with control characters or a trailing slash. https://github.com/vim/vim/commit/5e59ea54c0c37c2f84770f068d95280069828774
Diffstat
-rw-r--r--src/nvim/spellfile.c19
-rw-r--r--src/nvim/testdir/test_spell.vim15
2 files changed, 32 insertions, 2 deletions
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
index 07f3d39886..423ed04176 100644
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -3904,6 +3904,21 @@ static wordnode_T *wordtree_alloc(spellinfo_T *spin)
return (wordnode_T *)getroom(spin, sizeof(wordnode_T), true);
}
+/// Return true if "word" contains valid word characters.
+/// Control characters and trailing '/' are invalid. Space is OK.
+static bool valid_spell_word(const char_u *word)
+{
+ if (!utf_valid_string(word, NULL)) {
+ return false;
+ }
+ for (const char_u *p = word; *p != NUL; p += utfc_ptr2len((const char *)p)) {
+ if (*p < ' ' || (p[0] == '/' && p[1] == NUL)) {
+ return false;
+ }
+ }
+ return true;
+}
+
/// Store a word in the tree(s).
/// Always store it in the case-folded tree. For a keep-case word this is
/// useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -3925,7 +3940,7 @@ static int store_word(spellinfo_T *spin, char_u *word, int flags, int region, co
int res = OK;
// Avoid adding illegal bytes to the word tree.
- if (!utf_valid_string(word, NULL)) {
+ if (!valid_spell_word(word)) {
return FAIL;
}
@@ -5522,7 +5537,7 @@ void spell_add_word(char_u *word, int len, SpellAddType what, int idx, bool undo
int i;
char_u *spf;
- if (!utf_valid_string(word, NULL)) {
+ if (!valid_spell_word(word)) {
emsg(_(e_illegal_character_in_word));
return;
}
diff --git a/src/nvim/testdir/test_spell.vim b/src/nvim/testdir/test_spell.vim
index 215d4387d6..d0895a48b4 100644
--- a/src/nvim/testdir/test_spell.vim
+++ b/src/nvim/testdir/test_spell.vim
@@ -699,6 +699,21 @@ func Test_spellsuggest_too_deep()
bwipe!
endfunc
+func Test_spell_good_word_invalid()
+ " This was adding a word with a 0x02 byte, which causes havoc.
+ enew
+ norm o0
+ sil! norm rzzWs00/
+ 2
+ sil! norm VzGprzzW
+ sil! norm z=
+
+ bwipe!
+ " clear the internal word list
+ " set enc=latin1
+ set enc=utf-8
+endfunc
+
func LoadAffAndDic(aff_contents, dic_contents)
throw 'skipped: Nvim does not support enc=latin1'
set enc=latin1
generated by cgit (git 2.34.1) at 2025-04-29 20:03:15 +0000