blob: b9851cd82ecb43f7e6c565023ad5dd0c9781e058 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From: Markus Koschany <apo@debian.org>
Date: Sun, 30 Oct 2022 22:14:06 +0100
Subject: CVE-2022-0943
Origin: https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3
---
src/spell.c | 4 ++++
src/testdir/test_spell.vim | 17 +++++++++++++++++
2 files changed, 21 insertions(+)
--- a/src/spell.c
+++ b/src/spell.c
@@ -3259,6 +3259,10 @@ spell_suggest(int count)
curwin->w_cursor.col = VIsual.col;
++badlen;
end_visual_mode();
+ // make sure we don't include the NUL at the end of the line
+ line = ml_get_curline();
+ if (badlen > STRLEN(line) - curwin->w_cursor.col)
+ badlen = STRLEN(line) - curwin->w_cursor.col;
}
/* Find the start of the badly spelled word. */
else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -126,6 +126,23 @@ func Test_spellreall()
bwipe!
endfunc
+func Test_spellsuggest_visual_end_of_line()
+ set spell
+ let enc_save = &encoding
+ set encoding=iso8859
+
+ " This was reading beyond the end of the line.
+ norm R00000000000
+ sil norm ^V0
+ sil! norm ^Vi00000)
+ sil! norm ^Vi00000)
+ call feedkeys("\<CR>")
+ norm z=
+
+ let &encoding = enc_save
+ set nospell
+endfunc
+
func Test_spellinfo()
new
|