[vim/vim] fix: prevent integer overflow in read_tree_node bounds check (PR #20483)

4 views

Skip to first unread message

Devon Kirk

unread,

2:55 PM (6 hours ago) 2:55 PM

to vim/vim, Subscribed

Fixes CWE-190 integer overflow vulnerability in spell file parsing.

The bounds check at spellfile.c:1673 uses signed integer addition which can overflow when startidx approaches INT_MAX, allowing out-of-bounds heap writes.

Replace overflow-prone addition with safe subtraction:
OLD: if (startidx + len >= maxidx)
NEW: if (len >= maxidx - startidx)

The subtraction cannot overflow because both operands are valid indices. This maintains the original >= semantics while preventing integer overflow.

You can view, comment on, or merge this pull request online at:

https://github.com/vim/vim/pull/20483

Commit Summary

b4dae58 fix: prevent integer overflow in read_tree_node bounds check

File Changes

(1 file)

M src/spellfile.c (2)

Patch Links:

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS and Android. Download it today!
You are receiving this because you are subscribed to this thread.

Reply all

Reply to author

Forward

0 new messages