neovim

Neovim text editor
git clone https://git.dasho.dev/neovim.git
Log | Files | Refs | README
commit 998a96803b32dada4da26d0dc7a636f99319f0e6
parent 0b15c019124965920c5f2df8c8ee75cd46311d27
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sat,  2 Jul 2022 06:37:28 +0800

vim-patch:9.0.0021: invalid memory access when adding word to spell word list

Problem:    Invalid memory access when adding word with a control character to
            the internal spell word list.
Solution:   Disallow adding a word with control characters or a trailing
            slash.
https://github.com/vim/vim/commit/5e59ea54c0c37c2f84770f068d95280069828774

Diffstat:

Msrc/nvim/spellfile.c | 19+++++++++++++++++--


Msrc/nvim/testdir/test_spell.vim | 15+++++++++++++++


2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
@@ -3904,6 +3904,21 @@ static wordnode_T *wordtree_alloc(spellinfo_T *spin)
   return (wordnode_T *)getroom(spin, sizeof(wordnode_T), true);
 }
 
+/// Return true if "word" contains valid word characters.
+/// Control characters and trailing '/' are invalid.  Space is OK.
+static bool valid_spell_word(const char_u *word)
+{
+  if (!utf_valid_string(word, NULL)) {
+    return false;
+  }
+  for (const char_u *p = word; *p != NUL; p += utfc_ptr2len((const char *)p)) {
+    if (*p < ' ' || (p[0] == '/' && p[1] == NUL)) {
+      return false;
+    }
+  }
+  return true;
+}
+
 /// Store a word in the tree(s).
 /// Always store it in the case-folded tree.  For a keep-case word this is
 /// useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -3925,7 +3940,7 @@ static int store_word(spellinfo_T *spin, char_u *word, int flags, int region, co
   int res = OK;
 
   // Avoid adding illegal bytes to the word tree.
-  if (!utf_valid_string(word, NULL)) {
+  if (!valid_spell_word(word)) {
     return FAIL;
   }
 
@@ -5522,7 +5537,7 @@ void spell_add_word(char_u *word, int len, SpellAddType what, int idx, bool undo
   int i;
   char_u *spf;
 
-  if (!utf_valid_string(word, NULL)) {
+  if (!valid_spell_word(word)) {
     emsg(_(e_illegal_character_in_word));
     return;
   }
diff --git a/src/nvim/testdir/test_spell.vim b/src/nvim/testdir/test_spell.vim
@@ -699,6 +699,21 @@ func Test_spellsuggest_too_deep()
   bwipe!
 endfunc
 
+func Test_spell_good_word_invalid()
+  " This was adding a word with a 0x02 byte, which causes havoc.
+  enew
+  norm o0
+  sil! norm rzzWs00/
+  2
+  sil! norm VzGprzzW
+  sil! norm z=
+
+  bwipe!
+  " clear the internal word list
+  " set enc=latin1
+  set enc=utf-8
+endfunc
+
 func LoadAffAndDic(aff_contents, dic_contents)
   throw 'skipped: Nvim does not support enc=latin1'
   set enc=latin1