patch 9.2.0698: [security]: Out-of-bounds write with soundfold()

Problem:  [security]: Out-of-bounds write with soundfold()
          (cipher-creator)
Solution: Add an abort condition to the for loop to validate the buffer
          size.

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q8mh-6qm3-25g4

Supported by AI

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/spell.c b/src/spell.c
index fddcdaa9f079e725f4107aeaaed968bc3cb14fc4..96700782ef222938f075d3b5d2cb2b73ee94b78e 100644 (file)
--- a/src/spell.c
+++ b/src/spell.c
@@ -3270,7 +3270,7 @@ spell_soundfold_sofo(slang_T *slang, char_u *inword, char_u *res)
     else
     {
        // The sl_sal_first[] table contains the translation.
-       for (s = inword; (c = *s) != NUL; ++s)
+       for (s = inword; (c = *s) != NUL && ri < MAXWLEN - 1; ++s)
        {
            if (VIM_ISWHITE(c))
                c = ' ';

diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 10d9161ac6a7e73b493099c64ad5ae1b487f3357..9ec728a768a4ee94268c2a3ec523609b16a6f809 100644 (file)
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -1274,4 +1274,25 @@ func Test_spell_sug_tree_count_words_overflow()
   bwipe!
 endfunc
 
+" A word longer than MAXWLEN must not overflow the soundfold result buffer in
+" the single-byte SOFO branch of spell_soundfold_sofo().
+func Test_soundfold_overflow()
+  let _enc=&enc
+  set enc=latin1
+  call writefile(['SOFOFROM ab', 'SOFOTO xy'], 'Xtest.aff', 'D')
+  call writefile(['1', 'foo'], 'Xtest.dic', 'D')
+  mkspell! Xtest Xtest
+  defer delete('Xtest.latin1.spl')
+  defer delete('Xtest.latin1.sug')
+  setl spelllang=Xtest.latin1.spl spell
+
+  " Before the fix the copy loop wrote one byte per input byte into a
+  " MAXWLEN (254) stack buffer with no upper bound, smashing the stack.
+  let sound = soundfold(repeat('ab', 300))
+  call assert_true(strlen(sound) < 254, 'soundfold result exceeds MAXWLEN')
+
+  set spell& spelllang&
+  let &enc = _enc
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index f8268b842e73cdf2df6d8e5798831a9c542f1c0a..336707f7f770c9d13f21370142d48637e9e7b1d1 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    698,
 /**/
     697,
 /**/