From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Nov 2022 23:13:09 +0100
Subject: CVE-2022-2304

Origin: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939
---
 src/spell.c                |  5 +++--
 src/testdir/test_spell.vim | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/spell.c b/src/spell.c
index 2d36953..3d9e7c8 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -8505,9 +8505,10 @@ spell_dump_compl(
 		    n = arridx[depth] + curi[depth];
 		    ++curi[depth];
 		    c = byts[n];
-		    if (c == 0)
+		    if (c == 0 || depth >= MAXWLEN - 1)
 		    {
-			/* End of word, deal with the word.
+			/* End of word or reached maximum length, deal with the
+			 * word.
 			 * Don't use keep-case words in the fold-case tree,
 			 * they will appear in the keep-case tree.
 			 * Only use the word when the region matches. */
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 50e2d54..afbb6d8 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -260,6 +260,19 @@ func Test_zz_compound()
 
 endfunc
 
+func Test_spell_dump_word_length()
+  " this was running over MAXWLEN
+  new
+  noremap 0 0a0zW0000000
+  sil! norm 0z=0
+  sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+  sil! norm 0z=0
+
+  bwipe!
+  nunmap 0
+endfunc
+
+
 "Test affix flags with two characters
 func Test_zz_affix()
   call LoadAffAndDic(g:test_data_aff5, g:test_data_dic5)
@@ -922,3 +935,4 @@ let g:test_data_aff_sal = [
       \"SAL ZZ-                  _",
       \"SAL Z                    S",
       \ ]
+