patch 9.1.0903: potential overflow in spell_soundfold_wsal()

Problem: potential overflow in spell_soundfold_wsal() Solution: Protect wres from buffer overflow, by checking the length (Zdenek Dohnal) Error: OVERRUN (CWE-119): vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that "reslen" is 254 on the false branch. vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen" is now 255. vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254 4-byte elements at element index 254 (byte offset 1019) using index "reslen - 1" (which evaluates to 254). 3789| { 3790| // rule with '<' is used 3791|-> if (reslen > 0 && ws != NULL && *ws != NUL 3792| && (wres[reslen - 1] == c 3793| || wres[reslen - 1] == *ws)) Error: OVERRUN (CWE-119): vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that "reslen" is 254 on the false branch. vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254 4-byte elements at element index 254 (byte offset 1019) using index "reslen++" (which evaluates to 254). 3831| { 3832| if (c != NUL) 3833|-> wres[reslen++] = c; 3834| mch_memmove(word, word + i + 1, 3835| sizeof(int) * (wordlen - (i + 1) + 1)); related: #16163 Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
2024-12-04 20:16:17 +01:00
parent eda923e9c9
commit 39a94d2048
2 changed files with 3 additions and 1 deletions
--- a/src/spell.c
+++ b/src/spell.c
@@ -3829,7 +3829,7 @@ spell_soundfold_wsal(slang_T *slang, char_u *inword, char_u *res)
 			    c = *ws;
 			if (strstr((char *)s, "^^") != NULL)
 			{
-			    if (c != NUL)
+			    if (c != NUL && reslen < MAXWLEN)
 				wres[reslen++] = c;
 			    mch_memmove(word, word + i + 1,
 				       sizeof(int) * (wordlen - (i + 1) + 1));
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    903,
 /**/
    902,
 /**/