updated for version 7.4.102
Problem: Crash when interrupting "z=".
Solution: Add safety check for word length. (Christian Brabandt, Dominique
Pelle)
diff --git a/src/spell.c b/src/spell.c
index 6e0d986..18a3957 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -13398,9 +13398,8 @@
/* Lookup the word "orgnr" one of the two tries. */
n = 0;
- wlen = 0;
wordcount = 0;
- for (;;)
+ for (wlen = 0; wlen < MAXWLEN - 3; ++wlen)
{
i = 1;
if (wordcount == orgnr && byts[n + 1] == NUL)
@@ -13414,6 +13413,7 @@
if (i > byts[n]) /* safety check */
{
STRCPY(theword + wlen, "BAD");
+ wlen += 3;
goto badword;
}
@@ -13426,7 +13426,7 @@
wordcount += wc;
}
- theword[wlen++] = byts[n + i];
+ theword[wlen] = byts[n + i];
n = idxs[n + i];
}
badword: