diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-12-02 10:07:13 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-12-02 10:41:31 +0800 |
| commit | 01edcd6db85ab2abffa95bc4dce6cfb8de617bca (patch) | |
| tree | 468b490eb527346fe8365c64420a2b7c6fc9549c /src | |
| parent | 7402655132f12f4181707dfc307636a2f6a21863 (diff) | |
| download | rneovim-01edcd6db85ab2abffa95bc4dce6cfb8de617bca.tar.gz rneovim-01edcd6db85ab2abffa95bc4dce6cfb8de617bca.tar.bz2 rneovim-01edcd6db85ab2abffa95bc4dce6cfb8de617bca.zip | |
vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk
Problem: [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array
Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.
Reported by @henices, thanks!
https://github.com/vim/vim/commit/0fb375aae608d7306b4baf9c1f906961f32e2abf
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/spellsuggest.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/nvim/spellsuggest.c b/src/nvim/spellsuggest.c index bdac5aa587..efd647a5c3 100644 --- a/src/nvim/spellsuggest.c +++ b/src/nvim/spellsuggest.c @@ -1941,6 +1941,12 @@ static void suggest_trie_walk(suginfo_T *su, langp_T *lp, char *fword, bool soun // - Skip the byte if it's equal to the byte in the word, // accepting that byte is always better. n += sp->ts_curi++; + + // break out, if we would be accessing byts buffer out of bounds + if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len) { + got_int = true; + break; + } c = byts[n]; if (soundfold && sp->ts_twordlen == 0 && c == '*') { // Inserting a vowel at the start of a word counts less, |