Commit: patch 9.2.0653: [security]: out-of-bounds write in tree_count_words()

[Christian Brabandt]

patch 9.2.0653: [security]: out-of-bounds write in tree_count_words()

Commit: https://github.com/vim/vim/commit/a80874d9b84a01040e3d1aef2d4a59e1934dafb7
Author: Christian Brabandt <c...@256bit.org>
Date: Mon Jun 15 19:39:08 2026 +0000

patch 9.2.0653: [security]: out-of-bounds write in tree_count_words()

Problem: [security]: a crafted spell file can drive tree_count_words()
past the end of its MAXWLEN-sized depth arrays; the descent
loop has no depth bound.
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do; apply the same guard to sug_filltree().

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-wgh4-64f7-q3jq

Supported by AI.

Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/spellfile.c b/src/spellfile.c
index c1e15e976..2e7f6a539 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -642,7 +642,7 @@ tree_count_words(char_u *byts, long byts_len, idx_T *idxs)
++curi[depth];
}
}
- else
+ else if (depth < MAXWLEN - 1)
{
// Normal char, go one level deeper to count the words.
++depth;
@@ -5742,7 +5742,7 @@ sug_filltree(spellinfo_T *spin, slang_T *slang)
++curi[depth];
}
}
- else
+ else if (depth < MAXWLEN - 1)
{
// Normal char, go one level deeper.
tword[depth++] = c;
diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 07156818d..10d9161ac 100644
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -1247,4 +1247,31 @@ func Test_mkspell_no_compflag_overflow()
call assert_false(filereadable('Xcompbof.spl'))
endfunc

+func Test_spell_sug_tree_count_words_overflow()
+ " A crafted .spl/.sug pair with a BY_INDEX self-cycle in the fold word tree
+ " parses cleanly (shared refs aren't recursed, so read_tree_node()'s depth
+ " cap never trips), but drove tree_count_words() past its MAXWLEN-sized depth
+ " arrays -> stack out-of-bounds write. The walk only happens when
+ " spellsuggest() loads the matching .sug. Reaching the assert == no OOB.
+ call mkdir('Xrtp/spell', 'pR')
+ " VIMspell + v50, SN_SUGFILE(ts), SN_END, LWORDTREE{node:1,BY_INDEX->0,'A'},
+ " empty KWORDTREE/PREFIXTREE
+ let spl = eval('0z56494D7370656C6C320B0000000008000000001234'
+ \ .. '5678FF000000020101000000410000000000000000')
+ " VIMsug + v1, matching ts, SUGWORDTREE word "a", empty SUGTABLE
+ let sug = 0z56494D737567010000000012345678000000040161010000000000
+ call writefile(spl, 'Xrtp/spell/xx.utf-8.spl', 'b')
+ call writefile(sug, 'Xrtp/spell/xx.utf-8.sug', 'b')
+
+ new
+ set runtimepath+=./Xrtp
+ set spelllang=xx
+ set spell
+ " Unpatched: OOB write here (ASan abort, or crash). Patched: returns a list.
+ call assert_equal(v:t_list, type(spellsuggest('helloo')))
+
+ set spell& spelllang& runtimepath&
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 7de996977..de75d3eef 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 653,
/**/
652,
/**/