Problem: read_compound() in spellfile.c computes the size of the regex
pattern buffer using signed-int arithmetic on the attacker
controlled SN_COMPOUND sectionlen. With sectionlen=0x40000008
and UTF-8 encoding active the multiplication wraps to 27 while
the per-byte loop writes up to ~1B bytes, overflowing the heap.
Reachable when loading a crafted .spl file (e.g. via 'set spell'
after a modeline sets 'spelllang'). The cp/ap/crp allocations
have the same int + 1 overflow class (Daniel Cervera)
Solution: Use type size_t as buffer size and reject values larger than
COMPOUND_MAX_LEN (100000). Apply the same size_t treatment to
the cp/ap/crp allocations.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv9299332917
Co-authored-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Problem: spell_read_aff() uses sprintf() into a fixed-size stack buffer
without bounds checking. store_aff_word() uses STRCAT() to
append attacker-controlled strings into newword[MAXWLEN] without
checking remaining space. Both are reachable via :mkspell with
crafted .aff/.dic files (xinyi234)
Solution: Replace sprintf() with vim_snprintf() in spell_read_aff().
Replace STRCAT() with STRNCAT() with explicit remaining-space
calculation in store_aff_word().
closes: vim/vim#1994407faa961a0
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem:
First rtp directory is unpredictable and not in line with XDG
base spec.
Solution:
Use stdpath('data')/spell as directory if 'spellfile' is not set.
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Co-authored-by: Justin M. Keyes <justinkz@gmail.com>
Problem: E1510 may happen when formatting a message
(after 9.1.0181).
Solution: Only give E1510 when using typval. (zeertzjq)
closes: vim/vim#153910dff31576a
Problem: Too many delete() calls in tests.
Solution: Use deferred delete where possible.
56564964e6
This includes all changes expect changes in test_startup.vim.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Spellfile code not completely tested.
Solution: Add a few more test cases. (Yegappan Lakshmanan, closesvim/vim#6929)
96fdf4348a
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Spellfile code not completely tested.
Solution: Add a few more test cases. (Yegappan Lakshmanan, closesvim/vim#6918)
64e2db6dc6
Fix incorrect spellfile message.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Crash when using ":mkspell" with an empty .dic file.
Solution: Check for an empty word tree.
6669de1b23
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: Not enough characters accepted for 'spellfile'.
Solution: Add vim_is_fname_char() and use it for 'spellfile'.
bc49c5f48f
Cherry-pick related doc update from Vim runtime.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
