vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk

Problem: [security]: buffer-overflow in suggest_trie_walk Solution: Check n before using it as index into byts array Basically, n as an index into the byts array, can point to beyond the byts array. So let's double check, that n is within the expected range after incrementing it from sp->ts_curi and bail out if it would be invalid. Reported by @henices, thanks! 0fb375aae6 Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-10-05 17:36:29 +00:00 · 2023-12-02 10:07:13 +08:00
parent 7402655132
commit 01edcd6db8
3 changed files with 14 additions and 0 deletions
--- a/src/nvim/spellsuggest.c
+++ b/src/nvim/spellsuggest.c
@@ -1941,6 +1941,12 @@ static void suggest_trie_walk(suginfo_T *su, langp_T *lp, char *fword, bool soun
      // - Skip the byte if it's equal to the byte in the word,
      //   accepting that byte is always better.
      n += sp->ts_curi++;
+
+      // break out, if we would be accessing byts buffer out of bounds
+      if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len) {
+        got_int = true;
+        break;
+      }
      c = byts[n];
      if (soundfold && sp->ts_twordlen == 0 && c == '*') {
        // Inserting a vowel at the start of a word counts less,