commit d3c907b5d2b352482b580a0cf687cbbea4c19ea1
author Bram Moolenaar <Bram@vim.org> Wed Aug 17 21:32:09 2016 +0200
committer Bram Moolenaar <Bram@vim.org> Wed Aug 17 21:32:09 2016 +0200
tree 4ef356217c0b95e6f6ee5b5d3bb756c103ef8b82
parent 6bff02eb530aa29aafa2cb5627399837be7a5dd5

patch 7.4.2223
Problem:    Buffer overflow when using latin1 character with feedkeys().
Solution:   Check for an illegal character.  Add a test.

src/spell.c

diff --git a/src/spell.c b/src/spell.c
index 35235e0..8d8689b 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -5379,7 +5379,7 @@
 #ifdef FEAT_MBYTE
 	    if (has_mbyte)
 	    {
-		n = mb_cptr2len(p);
+		n = MB_CPTR2LEN(p);
 		c = mb_ptr2char(p);
 		if (p[n] == NUL)
 		    c2 = NUL;
@@ -5477,9 +5477,9 @@
 #ifdef FEAT_MBYTE
 	    if (has_mbyte)
 	    {
-		n = mb_cptr2len(p);
+		n = MB_CPTR2LEN(p);
 		c = mb_ptr2char(p);
-		fl = mb_cptr2len(p + n);
+		fl = MB_CPTR2LEN(p + n);
 		c2 = mb_ptr2char(p + n);
 		if (!soundfold && !spell_iswordp(p + n + fl, curwin))
 		    c3 = c;	/* don't swap non-word char */
@@ -5596,10 +5596,10 @@
 #ifdef FEAT_MBYTE
 		if (has_mbyte)
 		{
-		    n = mb_cptr2len(p);
+		    n = MB_CPTR2LEN(p);
 		    c = mb_ptr2char(p);
-		    fl = mb_cptr2len(p + n);
-		    fl += mb_cptr2len(p + n + fl);
+		    fl = MB_CPTR2LEN(p + n);
+		    fl += MB_CPTR2LEN(p + n + fl);
 		    mch_memmove(p, p + n, fl);
 		    mb_char2bytes(c, p + fl);
 		    stack[depth].ts_fidxtry = sp->ts_fidx + n + fl;
@@ -5661,10 +5661,10 @@
 #ifdef FEAT_MBYTE
 		if (has_mbyte)
 		{
-		    n = mb_cptr2len(p);
-		    n += mb_cptr2len(p + n);
+		    n = MB_CPTR2LEN(p);
+		    n += MB_CPTR2LEN(p + n);
 		    c = mb_ptr2char(p + n);
-		    tl = mb_cptr2len(p + n);
+		    tl = MB_CPTR2LEN(p + n);
 		    mch_memmove(p + tl, p, n);
 		    mb_char2bytes(c, p);
 		    stack[depth].ts_fidxtry = sp->ts_fidx + n + tl;
@@ -5955,8 +5955,8 @@
 #ifdef FEAT_MBYTE
 	    if (has_mbyte)
 	    {
-		flen = mb_cptr2len(fword + fwordidx[depth]);
-		ulen = mb_cptr2len(uword + uwordidx[depth]);
+		flen = MB_CPTR2LEN(fword + fwordidx[depth]);
+		ulen = MB_CPTR2LEN(uword + uwordidx[depth]);
 	    }
 	    else
 #endif