Patch 8.2.1521
Problem: Reading past end of buffer when reading spellfile. (Yegappan
Lakshmanan)
Solution: Store the byte length and check for it.
Files: src/spellfile.c, src/spell.h
*** ../vim-8.2.1520/src/spellfile.c 2020-08-20 15:41:51.632896184 +0200
--- src/spellfile.c 2020-08-24 20:04:07.869868395 +0200
***************
*** 315,321 ****
static int set_sofo(slang_T *lp, char_u *from, char_u *to);
static void set_sal_first(slang_T *lp);
static int *mb_str2wide(char_u *s);
! static int spell_read_tree(FILE *fd, char_u **bytsp, idx_T **idxsp, int
prefixtree, int prefixcnt);
static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx,
idx_T startidx, int prefixtree, int maxprefcondnr);
static void set_spell_charflags(char_u *flags, int cnt, char_u *upp);
static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp);
--- 315,321 ----
static int set_sofo(slang_T *lp, char_u *from, char_u *to);
static void set_sal_first(slang_T *lp);
static int *mb_str2wide(char_u *s);
! static int spell_read_tree(FILE *fd, char_u **bytsp, long *bytsp_len, idx_T
**idxsp, int prefixtree, int prefixcnt);
static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx,
idx_T startidx, int prefixtree, int maxprefcondnr);
static void set_spell_charflags(char_u *flags, int cnt, char_u *upp);
static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp);
***************
*** 553,569 ****
}
// <LWORDTREE>
! res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, FALSE, 0);
if (res != 0)
goto someerror;
// <KWORDTREE>
! res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, FALSE, 0);
if (res != 0)
goto someerror;
// <PREFIXTREE>
! res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, TRUE,
lp->sl_prefixcnt);
if (res != 0)
goto someerror;
--- 553,570 ----
}
// <LWORDTREE>
! res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len,
! &lp->sl_fidxs, FALSE, 0);
if (res != 0)
goto someerror;
// <KWORDTREE>
! res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, FALSE, 0);
if (res != 0)
goto someerror;
// <PREFIXTREE>
! res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, TRUE,
lp->sl_prefixcnt);
if (res != 0)
goto someerror;
***************
*** 737,743 ****
* <SUGWORDTREE>: <wordtree>
* Read the trie with the soundfolded words.
*/
! if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs,
FALSE, 0) != 0)
{
someerror:
--- 738,744 ----
* <SUGWORDTREE>: <wordtree>
* Read the trie with the soundfolded words.
*/
! if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs,
FALSE, 0) != 0)
{
someerror:
***************
*** 1572,1577 ****
--- 1573,1579 ----
spell_read_tree(
FILE *fd,
char_u **bytsp,
+ long *bytsp_len,
idx_T **idxsp,
int prefixtree, // TRUE for the prefix tree
int prefixcnt) // when "prefixtree" is TRUE: prefix
count
***************
*** 1596,1601 ****
--- 1598,1605 ----
if (bp == NULL)
return SP_OTHERERROR;
*bytsp = bp;
+ if (bytsp_len != NULL)
+ *bytsp_len = len;
// Allocate the index array.
ip = lalloc_clear(len * sizeof(int), TRUE);
***************
*** 5609,5616 ****
spin->si_blocks_cnt = 0;
// Skip over any other NUL bytes (same word with different
! // flags).
! while (byts[n + 1] == 0)
{
++n;
++curi[depth];
--- 5613,5620 ----
spin->si_blocks_cnt = 0;
// Skip over any other NUL bytes (same word with different
! // flags). But don't go over the end.
! while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0)
{
++n;
++curi[depth];
*** ../vim-8.2.1520/src/spell.h 2019-11-30 18:55:35.000000000 +0100
--- src/spell.h 2020-08-24 19:59:13.826786299 +0200
***************
*** 66,71 ****
--- 66,72 ----
int sl_add; // TRUE if it's a .add file.
char_u *sl_fbyts; // case-folded word bytes
+ long sl_fbyts_len; // length of sl_fbyts
idx_T *sl_fidxs; // case-folded word indexes
char_u *sl_kbyts; // keep-case word bytes
idx_T *sl_kidxs; // keep-case word indexes
*** ../vim-8.2.1520/src/version.c 2020-08-23 21:46:29.075938591 +0200
--- src/version.c 2020-08-23 22:26:22.253933389 +0200
***************
*** 756,757 ****
--- 756,759 ----
{ /* Add new patch number below this line */
+ /**/
+ 1521,
/**/
--
ARTHUR: Right! Knights! Forward!
ARTHUR leads a charge toward the castle. Various shots of them battling on,
despite being hit by a variety of farm animals.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/202008241806.07OI6Zr31291010%40masaka.moolenaar.net.
