1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Nov 2022 23:13:09 +0100
Subject: CVE-2022-2304
Origin: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939
---
src/spell.c | 5 +++--
src/testdir/test_spell.vim | 14 ++++++++++++++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/spell.c b/src/spell.c
index 2d36953..3d9e7c8 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -8505,9 +8505,10 @@ spell_dump_compl(
n = arridx[depth] + curi[depth];
++curi[depth];
c = byts[n];
- if (c == 0)
+ if (c == 0 || depth >= MAXWLEN - 1)
{
- /* End of word, deal with the word.
+ /* End of word or reached maximum length, deal with the
+ * word.
* Don't use keep-case words in the fold-case tree,
* they will appear in the keep-case tree.
* Only use the word when the region matches. */
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 50e2d54..afbb6d8 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -260,6 +260,19 @@ func Test_zz_compound()
endfunc
+func Test_spell_dump_word_length()
+ " this was running over MAXWLEN
+ new
+ noremap 0 0a0zW0000000
+ sil! norm 0z=0
+ sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+ sil! norm 0z=0
+
+ bwipe!
+ nunmap 0
+endfunc
+
+
"Test affix flags with two characters
func Test_zz_affix()
call LoadAffAndDic(g:test_data_aff5, g:test_data_dic5)
@@ -922,3 +935,4 @@ let g:test_data_aff_sal = [
\"SAL ZZ- _",
\"SAL Z S",
\ ]
+
|
