To: vim_dev@googlegroups.com Subject: Patch 8.2.1521 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.1521 Problem: Reading past end of buffer when reading spellfile. (Yegappan Lakshmanan) Solution: Store the byte length and check for it. Files: src/spellfile.c, src/spell.h *** ../vim-8.2.1520/src/spellfile.c 2020-08-20 15:41:51.632896184 +0200 --- src/spellfile.c 2020-08-24 20:04:07.869868395 +0200 *************** *** 315,321 **** static int set_sofo(slang_T *lp, char_u *from, char_u *to); static void set_sal_first(slang_T *lp); static int *mb_str2wide(char_u *s); ! static int spell_read_tree(FILE *fd, char_u **bytsp, idx_T **idxsp, int prefixtree, int prefixcnt); static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx, idx_T startidx, int prefixtree, int maxprefcondnr); static void set_spell_charflags(char_u *flags, int cnt, char_u *upp); static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp); --- 315,321 ---- static int set_sofo(slang_T *lp, char_u *from, char_u *to); static void set_sal_first(slang_T *lp); static int *mb_str2wide(char_u *s); ! static int spell_read_tree(FILE *fd, char_u **bytsp, long *bytsp_len, idx_T **idxsp, int prefixtree, int prefixcnt); static idx_T read_tree_node(FILE *fd, char_u *byts, idx_T *idxs, int maxidx, idx_T startidx, int prefixtree, int maxprefcondnr); static void set_spell_charflags(char_u *flags, int cnt, char_u *upp); static int set_spell_chartab(char_u *fol, char_u *low, char_u *upp); *************** *** 553,569 **** } // ! res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fidxs, FALSE, 0); if (res != 0) goto someerror; // ! res = spell_read_tree(fd, &lp->sl_kbyts, &lp->sl_kidxs, FALSE, 0); if (res != 0) goto someerror; // ! res = spell_read_tree(fd, &lp->sl_pbyts, &lp->sl_pidxs, TRUE, lp->sl_prefixcnt); if (res != 0) goto someerror; --- 553,570 ---- } // ! res = spell_read_tree(fd, &lp->sl_fbyts, &lp->sl_fbyts_len, ! &lp->sl_fidxs, FALSE, 0); if (res != 0) goto someerror; // ! res = spell_read_tree(fd, &lp->sl_kbyts, NULL, &lp->sl_kidxs, FALSE, 0); if (res != 0) goto someerror; // ! res = spell_read_tree(fd, &lp->sl_pbyts, NULL, &lp->sl_pidxs, TRUE, lp->sl_prefixcnt); if (res != 0) goto someerror; *************** *** 737,743 **** * : * Read the trie with the soundfolded words. */ ! if (spell_read_tree(fd, &slang->sl_sbyts, &slang->sl_sidxs, FALSE, 0) != 0) { someerror: --- 738,744 ---- * : * Read the trie with the soundfolded words. */ ! if (spell_read_tree(fd, &slang->sl_sbyts, NULL, &slang->sl_sidxs, FALSE, 0) != 0) { someerror: *************** *** 1572,1577 **** --- 1573,1579 ---- spell_read_tree( FILE *fd, char_u **bytsp, + long *bytsp_len, idx_T **idxsp, int prefixtree, // TRUE for the prefix tree int prefixcnt) // when "prefixtree" is TRUE: prefix count *************** *** 1596,1601 **** --- 1598,1605 ---- if (bp == NULL) return SP_OTHERERROR; *bytsp = bp; + if (bytsp_len != NULL) + *bytsp_len = len; // Allocate the index array. ip = lalloc_clear(len * sizeof(int), TRUE); *************** *** 5609,5616 **** spin->si_blocks_cnt = 0; // Skip over any other NUL bytes (same word with different ! // flags). ! while (byts[n + 1] == 0) { ++n; ++curi[depth]; --- 5613,5620 ---- spin->si_blocks_cnt = 0; // Skip over any other NUL bytes (same word with different ! // flags). But don't go over the end. ! while (n + 1 < slang->sl_fbyts_len && byts[n + 1] == 0) { ++n; ++curi[depth]; *** ../vim-8.2.1520/src/spell.h 2019-11-30 18:55:35.000000000 +0100 --- src/spell.h 2020-08-24 19:59:13.826786299 +0200 *************** *** 66,71 **** --- 66,72 ---- int sl_add; // TRUE if it's a .add file. char_u *sl_fbyts; // case-folded word bytes + long sl_fbyts_len; // length of sl_fbyts idx_T *sl_fidxs; // case-folded word indexes char_u *sl_kbyts; // keep-case word bytes idx_T *sl_kidxs; // keep-case word indexes *** ../vim-8.2.1520/src/version.c 2020-08-23 21:46:29.075938591 +0200 --- src/version.c 2020-08-23 22:26:22.253933389 +0200 *************** *** 756,757 **** --- 756,759 ---- { /* Add new patch number below this line */ + /**/ + 1521, /**/ -- ARTHUR: Right! Knights! Forward! ARTHUR leads a charge toward the castle. Various shots of them battling on, despite being hit by a variety of farm animals. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///