Commit: patch 9.2.0623: possible integer overflow in spellfile tree bounds check
1 view
Skip to first unread message
Christian Brabandt
6:15 AM (8 hours ago) 6:15 AM
to vim...@googlegroups.com
patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Commit: https://github.com/vim/vim/commit/276920e138c276ffb1e6d5ec56879056a419453c
Author: Devon Kirk <hyde...@users.noreply.github.com>
Date: Fri Jun 12 10:10:50 2026 +0000
patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Problem: possible integer overflow in spellfile tree bounds check
Solution: Rewrite the overflow check (Devon Krik)
The check 'startidx + len >= maxidx' uses signed int addition and can
overflow when startidx approaches INT_MAX. After overflow the wrapped
result bypasses the guard, allowing the subsequent loop to write
idxs[startidx + i] out of bounds on the heap.
Replace the addition with a safe subtractive check that maintains the
original >= semantics: len >= maxidx - startidx cannot overflow because
both operands are valid indices within [0, maxidx].
This fixes CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based
Buffer Overflow).
closes: #20483
Signed-off-by: Devon Kirk <hyde...@users.noreply.github.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/spellfile.c b/src/spellfile.c
index 8a373f343..c1e15e976 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1670,7 +1670,7 @@ read_tree_node(
if (len <= 0)
return SP_TRUNCERROR;
- if (startidx + len >= maxidx)
+ if (len >= maxidx - startidx)
return SP_FORMERROR;
byts[idx++] = len;
diff --git a/src/version.c b/src/version.c
index 57bd82493..b798c6348 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 623,
/**/
622,
/**/
Commit: https://github.com/vim/vim/commit/276920e138c276ffb1e6d5ec56879056a419453c
Author: Devon Kirk <hyde...@users.noreply.github.com>
Date: Fri Jun 12 10:10:50 2026 +0000
patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Problem: possible integer overflow in spellfile tree bounds check
Solution: Rewrite the overflow check (Devon Krik)
The check 'startidx + len >= maxidx' uses signed int addition and can
overflow when startidx approaches INT_MAX. After overflow the wrapped
result bypasses the guard, allowing the subsequent loop to write
idxs[startidx + i] out of bounds on the heap.
Replace the addition with a safe subtractive check that maintains the
original >= semantics: len >= maxidx - startidx cannot overflow because
both operands are valid indices within [0, maxidx].
This fixes CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based
Buffer Overflow).
closes: #20483
Signed-off-by: Devon Kirk <hyde...@users.noreply.github.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/spellfile.c b/src/spellfile.c
index 8a373f343..c1e15e976 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1670,7 +1670,7 @@ read_tree_node(
if (len <= 0)
return SP_TRUNCERROR;
- if (startidx + len >= maxidx)
+ if (len >= maxidx - startidx)
return SP_FORMERROR;
byts[idx++] = len;
diff --git a/src/version.c b/src/version.c
index 57bd82493..b798c6348 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 623,
/**/
622,
/**/
Reply all
Reply to author
Forward
0 new messages