patch 9.0.0109: writing over the end of a buffer on stack
Problem: Writing over the end of a buffer on stack when making list of
spell suggestions.
Solution: Make sure suggested word is not too long. (closes #10812)
diff --git a/src/spellsuggest.c b/src/spellsuggest.c
index 8f97565..cc70ca7 100644
--- a/src/spellsuggest.c
+++ b/src/spellsuggest.c
@@ -592,15 +592,17 @@
msg_scroll = TRUE;
for (i = 0; i < sug.su_ga.ga_len; ++i)
{
+ int el;
+
stp = &SUG(sug.su_ga, i);
// The suggested word may replace only part of the bad word, add
- // the not replaced part.
+ // the not replaced part. But only when it's not getting too long.
vim_strncpy(wcopy, stp->st_word, MAXWLEN);
- if (sug.su_badlen > stp->st_orglen)
+ el = sug.su_badlen - stp->st_orglen;
+ if (el > 0 && stp->st_wordlen + el <= MAXWLEN)
vim_strncpy(wcopy + stp->st_wordlen,
- sug.su_badptr + stp->st_orglen,
- sug.su_badlen - stp->st_orglen);
+ sug.su_badptr + stp->st_orglen, el);
vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
#ifdef FEAT_RIGHTLEFT
if (cmdmsg_rl)
diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
index 07cb87a..91ada1e 100644
--- a/src/testdir/test_spell_utf8.vim
+++ b/src/testdir/test_spell_utf8.vim
@@ -819,5 +819,13 @@
bwipe!
endfunc
+func Test_spell_suggest_too_long()
+ " this was creating a word longer than MAXWLEN
+ new
+ call setline(1, 'a' .. repeat("\u0333", 150))
+ norm! z=
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 80bd894..cc642cc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 109,
+/**/
108,
/**/
107,