From 9511faa819e8260aa7ae2c2ff140070bbc96efa9 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Sun, 31 Jul 2022 05:48:24 +0800 Subject: vim-patch:9.0.0109: writing over the end of a buffer on stack (#19581) Problem: Writing over the end of a buffer on stack when making list of spell suggestions. Solution: Make sure suggested word is not too long. (closes vim/vim#10812) https://github.com/vim/vim/commit/1eead4cf1daf87ee41aeb4de3b3e38708417f9d5 --- src/nvim/spell.c | 9 ++++----- src/nvim/testdir/test_spell_utf8.vim | 8 ++++++++ 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/nvim/spell.c b/src/nvim/spell.c index a8ac3e2705..1e2c124392 100644 --- a/src/nvim/spell.c +++ b/src/nvim/spell.c @@ -2965,12 +2965,11 @@ void spell_suggest(int count) stp = &SUG(sug.su_ga, i); // The suggested word may replace only part of the bad word, add - // the not replaced part. + // the not replaced part. But only when it's not getting too long. STRLCPY(wcopy, stp->st_word, MAXWLEN + 1); - if (sug.su_badlen > stp->st_orglen) { - STRLCPY(wcopy + stp->st_wordlen, - sug.su_badptr + stp->st_orglen, - sug.su_badlen - stp->st_orglen + 1); + int el = sug.su_badlen - stp->st_orglen; + if (el > 0 && stp->st_wordlen + el <= MAXWLEN) { + STRLCPY(wcopy + stp->st_wordlen, sug.su_badptr + stp->st_orglen, el + 1); } vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1); if (cmdmsg_rl) { diff --git a/src/nvim/testdir/test_spell_utf8.vim b/src/nvim/testdir/test_spell_utf8.vim index b7e3da37cb..7c588d736a 100644 --- a/src/nvim/testdir/test_spell_utf8.vim +++ b/src/nvim/testdir/test_spell_utf8.vim @@ -820,5 +820,13 @@ func Test_check_empty_line() bwipe! endfunc +func Test_spell_suggest_too_long() + " this was creating a word longer than MAXWLEN + new + call setline(1, 'a' .. repeat("\u0333", 150)) + norm! z= + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab -- cgit