patch 9.1.0903: potential overflow in spell_soundfold_wsal()
Problem: potential overflow in spell_soundfold_wsal()
Solution: Protect wres from buffer overflow, by checking the
length (Zdenek Dohnal)
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: incr: Incrementing "reslen". The value of "reslen"
is now 255.
vim91/src/spell.c:3792: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen - 1" (which evaluates to 254).
3789| {
3790| // rule with '<' is used
3791|-> if (reslen > 0 && ws != NULL && *ws != NUL
3792| && (wres[reslen - 1] == c
3793| || wres[reslen - 1] == *ws))
Error: OVERRUN (CWE-119):
vim91/src/spell.c:3819: cond_const: Checking "reslen < 254" implies that
"reslen" is 254 on the false branch.
vim91/src/spell.c:3833: overrun-local: Overrunning array "wres" of 254
4-byte elements at element index 254 (byte offset 1019) using index
"reslen++" (which evaluates to 254).
3831| {
3832| if (c != NUL)
3833|-> wres[reslen++] = c;
3834| mch_memmove(word, word + i + 1,
3835| sizeof(int) * (wordlen -
(i + 1) + 1));
related: #16163
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/spell.c b/src/spell.c
index 5a7720f..2581a5e 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3829,7 +3829,7 @@
c = *ws;
if (strstr((char *)s, "^^") != NULL)
{
- if (c != NUL)
+ if (c != NUL && reslen < MAXWLEN)
wres[reslen++] = c;
mch_memmove(word, word + i + 1,
sizeof(int) * (wordlen - (i + 1) + 1));
diff --git a/src/version.c b/src/version.c
index 5a9f50f..95d4cc1 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 903,
+/**/
902,
/**/
901,