Patch 9.0.0109

[Bram Moolenaar]

Patch 9.0.0109
Problem: Writing over the end of a buffer on stack when making list of
spell suggestions.
Solution: Make sure suggested word is not too long. (closes #10812)
Files: src/spellsuggest.c, src/testdir/test_spell_utf8.vim


*** ../vim-9.0.0108/src/spellsuggest.c 2022-06-18 14:06:36.000000000 +0100
--- src/spellsuggest.c 2022-07-30 11:38:39.906523544 +0100
***************
*** 592,606 ****
msg_scroll = TRUE;
for (i = 0; i < sug.su_ga.ga_len; ++i)
{
stp = &SUG(sug.su_ga, i);

// The suggested word may replace only part of the bad word, add
! // the not replaced part.
vim_strncpy(wcopy, stp->st_word, MAXWLEN);
! if (sug.su_badlen > stp->st_orglen)
vim_strncpy(wcopy + stp->st_wordlen,
! sug.su_badptr + stp->st_orglen,
! sug.su_badlen - stp->st_orglen);
vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
#ifdef FEAT_RIGHTLEFT
if (cmdmsg_rl)
--- 592,608 ----
msg_scroll = TRUE;
for (i = 0; i < sug.su_ga.ga_len; ++i)
{
+ int el;
+
stp = &SUG(sug.su_ga, i);

// The suggested word may replace only part of the bad word, add
! // the not replaced part. But only when it's not getting too long.
vim_strncpy(wcopy, stp->st_word, MAXWLEN);
! el = sug.su_badlen - stp->st_orglen;
! if (el > 0 && stp->st_wordlen + el <= MAXWLEN)
vim_strncpy(wcopy + stp->st_wordlen,
! sug.su_badptr + stp->st_orglen, el);
vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
#ifdef FEAT_RIGHTLEFT
if (cmdmsg_rl)
*** ../vim-9.0.0108/src/testdir/test_spell_utf8.vim 2022-07-04 11:03:03.548044326 +0100
--- src/testdir/test_spell_utf8.vim 2022-07-30 11:36:40.346361471 +0100
***************
*** 819,823 ****
--- 819,831 ----
bwipe!
endfunc

+ func Test_spell_suggest_too_long()
+ " this was creating a word longer than MAXWLEN
+ new
+ call setline(1, 'a' .. repeat("\u0333", 150))
+ norm! z=
+ bwipe!
+ endfunc
+

" vim: shiftwidth=2 sts=2 expandtab
*** ../vim-9.0.0108/src/version.c 2022-07-30 11:00:46.553396706 +0100
--- src/version.c 2022-07-30 11:39:45.010612826 +0100
***************
*** 737,738 ****
--- 737,740 ----
{ /* Add new patch number below this line */
+ /**/
+ 109,
/**/

--
% cat /usr/include/sys/errno.h
#define EPERM 1 /* Operation not permitted */
#define ENOENT 2 /* No such file or directory */
#define ESRCH 3 /* No such process */
[...]
#define EMACS 666 /* Too many macros */
%

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///