patch 8.2.1521: reading past end of buffer when reading spellfile

Problem: Reading past end of buffer when reading spellfile. (Yegappan Lakshmanan) Solution: Store the byte length and check for it.
2025-07-26 11:04:33 -04:00 · 2020-08-24 20:05:50 +02:00 · 2020-08-24 20:05:50 +02:00 · 07399e7f07
commit 07399e7f07
parent b3ea36c5bc
3 changed files with 14 additions and 7 deletions
--- a/src/spell.h
+++ b/src/spell.h
@ -66,6 +66,7 @@ struct slang_S
    int		sl_add;		// TRUE if it's a .add file.

    char_u	*sl_fbyts;	// case-folded word bytes
+    long	sl_fbyts_len;	// length of sl_fbyts
    idx_T	*sl_fidxs;	// case-folded word indexes
    char_u	*sl_kbyts;	// keep-case word bytes
    idx_T	*sl_kidxs;	// keep-case word indexes
--- a/src/spellfile.c
+++ b/src/spellfile.c
@ -315,7 +315,7 @@ static int read_compound(FILE *fd, slang_T *slang, int len);
 static int set_sofo(slang_T *lp, char_u *from, char_u *to);
 static void set_sal_first(slang_T *lp);
 static int *mb_str2wide(char_u *s);
-static int spell_read_tree(FILE *fd, char_u **bytsp, idx_T **idxsp, int prefixtree, int prefixcnt);
+static int spell_read_tree(FILE *fd, char_u **bytsp, long *bytsp_len, idx_T **idxsp, int prefixtree, int prefixcnt);
 static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx, idx_T startidx, int prefixtree, int maxprefcondnr);
 static void set_spell_charflags(char_u *flags, int cnt, char_u *upp);
 static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp);
@ -553,17 +553,18 @@ truncerr:
    }

    // <LWORDTREE>
-    res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, FALSE, 0);
+    res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len,
+						      &lp->sl_fidxs, FALSE, 0);
    if (res != 0)
 	goto someerror;

    // <KWORDTREE>
-    res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, FALSE, 0);
+    res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, FALSE, 0);
    if (res != 0)
 	goto someerror;

    // <PREFIXTREE>
-    res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, TRUE,
+    res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, TRUE,
 							    lp->sl_prefixcnt);
    if (res != 0)
 	goto someerror;
@ -737,7 +738,7 @@ suggest_load_files(void)
 	     * <SUGWORDTREE>: <wordtree>
 	     * Read the trie with the soundfolded words.
 	     */
-	    if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs,
+	    if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs,
 							       FALSE, 0) != 0)
 	    {
 someerror:
@ -1572,6 +1573,7 @@ mb_str2wide(char_u *s)
 spell_read_tree(
    FILE	*fd,
    char_u	**bytsp,
+    long	*bytsp_len,
    idx_T	**idxsp,
    int		prefixtree,	// TRUE for the prefix tree
    int		prefixcnt)	// when "prefixtree" is TRUE: prefix count
@ -1596,6 +1598,8 @@ spell_read_tree(
 	if (bp == NULL)
 	    return SP_OTHERERROR;
 	*bytsp = bp;
+	if (bytsp_len != NULL)
+	    *bytsp_len = len;

 	// Allocate the index array.
 	ip = lalloc_clear(len * sizeof(int), TRUE);
@ -5609,8 +5613,8 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
 		spin->si_blocks_cnt = 0;

 		// Skip over any other NUL bytes (same word with different
-		// flags).
-		while (byts[n + 1] == 0)
+		// flags).  But don't go over the end.
+		while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0)
 		{
 		    ++n;
 		    ++curi[depth];
--- a/src/version.c
+++ b/src/version.c
@ -754,6 +754,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1521,
 /**/
    1520,
 /**/