vim-patch:9.2.0623: possible integer overflow in spellfile tree bounds check (#40204)

Problem: possible integer overflow in spellfile tree bounds check Solution: Rewrite the overflow check (Devon Krik) The check 'startidx + len >= maxidx' uses signed int addition and can overflow when startidx approaches INT_MAX. After overflow the wrapped result bypasses the guard, allowing the subsequent loop to write idxs[startidx + i] out of bounds on the heap. Replace the addition with a safe subtractive check that maintains the original >= semantics: len >= maxidx - startidx cannot overflow because both operands are valid indices within [0, maxidx]. This fixes CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). closes: vim/vim#20483 276920e138 Co-authored-by: Devon Kirk <hyder365@users.noreply.github.com>
2026-06-15 08:13:45 +00:00 · 2026-06-12 19:37:44 +08:00
parent 6f68c872d6
commit 76cacf6f8b
1 changed files with 1 additions and 1 deletions
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -1742,7 +1742,7 @@ static idx_T read_tree_node(FILE *fd, uint8_t *byts, idx_T *idxs, int maxidx, id
    return SP_TRUNCERROR;
  }

-  if (startidx + len >= maxidx) {
+  if (len >= maxidx - startidx) {
    return SP_FORMERROR;
  }
  byts[idx++] = (uint8_t)len;