From 01edcd6db85ab2abffa95bc4dce6cfb8de617bca Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sat, 2 Dec 2023 10:07:13 +0800 Subject: vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk Problem: [security]: buffer-overflow in suggest_trie_walk Solution: Check n before using it as index into byts array Basically, n as an index into the byts array, can point to beyond the byts array. So let's double check, that n is within the expected range after incrementing it from sp->ts_curi and bail out if it would be invalid. Reported by @henices, thanks! https://github.com/vim/vim/commit/0fb375aae608d7306b4baf9c1f906961f32e2abf Co-authored-by: Christian Brabandt --- src/nvim/spellsuggest.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src') diff --git a/src/nvim/spellsuggest.c b/src/nvim/spellsuggest.c index bdac5aa587..efd647a5c3 100644 --- a/src/nvim/spellsuggest.c +++ b/src/nvim/spellsuggest.c @@ -1941,6 +1941,12 @@ static void suggest_trie_walk(suginfo_T *su, langp_T *lp, char *fword, bool soun // - Skip the byte if it's equal to the byte in the word, // accepting that byte is always better. n += sp->ts_curi++; + + // break out, if we would be accessing byts buffer out of bounds + if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len) { + got_int = true; + break; + } c = byts[n]; if (soundfold && sp->ts_twordlen == 0 && c == '*') { // Inserting a vowel at the start of a word counts less, -- cgit