patch 9.0.2141: [security]: buffer-overflow in suggest_trie_walk Problem: [security]: buffer-overflow in suggest_trie_walk Solution: Check n before using it as index into byts array Basically, n as an index into the byts array, can point to beyond the byts array. So let's double check, that n is within the expected range after incrementing it from sp->ts_curi and bail out if it would be invalid. Reported by @henices, thanks! Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 0fb375aae608d7306b4baf9c1f906961f32e2abf [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Wed Nov 29 10:23:39 2023 +0100
committer: Christian Brabandt <cb@256bit.org> Fri Dec 01 18:58:50 2023 +0100
tree: 10a990e59a5b11b65536b3ad9a482e0a26a9d584
parent: eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a [diff] [blame]
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index e1c303a..ecc0a74 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c

@@ -2175,6 +2175,13 @@
 	    // - Skip the byte if it's equal to the byte in the word,
 	    //   accepting that byte is always better.
 	    n += sp->ts_curi++;
+
+	    // break out, if we would be accessing byts buffer out of bounds
+	    if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len)
+	    {
+		got_int = TRUE;
+		break;
+	    }
 	    c = byts[n];
 	    if (soundfold && sp->ts_twordlen == 0 && c == '*')
 		// Inserting a vowel at the start of a word counts less,
commit	0fb375aae608d7306b4baf9c1f906961f32e2abf	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Wed Nov 29 10:23:39 2023 +0100
committer	Christian Brabandt <cb@256bit.org>	Fri Dec 01 18:58:50 2023 +0100
tree	10a990e59a5b11b65536b3ad9a482e0a26a9d584
parent	eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a [diff] [blame]