patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()

Problem:  [security]: a crafted spell file with a self-referential
          BY_INDEX node in the prefix tree can drive dump_prefixes()
          past the end of its MAXWLEN-sized depth arrays on :spelldump
          (cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
          walkers already do (Yasuhiro Matsumoto)

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h

Supported by AI

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/spell.c b/src/spell.c
index b48ee87b03655c7b6429feeb61714f740062fabb..fddcdaa9f079e725f4107aeaaed968bc3cb14fc4 100644 (file)
--- a/src/spell.c
+++ b/src/spell.c
@@ -4325,7 +4325,7 @@ dump_prefixes(
                        }
                    }
                }
-               else
+               else if (depth < MAXWLEN - 1)
                {
                    // Normal char, go one level deeper.
                    prefix[depth++] = c;

diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 3b7f727d8046c7e8b20b25bbf1bbc034396e9960..b524cf60fc0ee0c90e0ca26774b50367fa26e3a1 100644 (file)
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1584,4 +1584,31 @@ func Test_suggest_spell_restore()
   bwipe!
 endfunc
 
+" A crafted .spl with a self-referential BY_INDEX node in the PREFIXTREE drove
+" dump_prefixes() past its MAXWLEN-sized depth arrays (stack out-of-bounds
+" write).  The tree parses cleanly (shared refs aren't recursed); the walk
+" happens on :spelldump.  Reaching the assert means no OOB.  Same class as the
+" tree_count_words() fix (9.2.0653).
+func Test_spelldump_prefixtree_overflow()
+  CheckUnix
+  call mkdir('Xrtp/spell', 'pR')
+  " VIMspell + v50, SN_PREFCOND(prefixcnt=1), SN_END,
+  " LWORDTREE word "a" with affixID=1 (so dump_prefixes runs),
+  " empty KWORDTREE, PREFIXTREE child BY_INDEX -> nodeidx 0 (self-cycle), 'A'
+  let spl = eval('0z56494D7370656C6C32030000000003000100FF00000004'
+        \ .. '0161010220010000000000000002010100000041')
+  call writefile(spl, 'Xrtp/spell/xx.utf-8.spl', 'b')
+
+  new
+  set runtimepath+=./Xrtp
+  set spelllang=xx
+  set spell
+  spelldump
+  call assert_true(line('$') > 1)
+
+  set spell& spelllang& runtimepath&
+  bwipe!
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 9824f5891c5d49591d53c03d1e478a97ffcafb1b..770b0841ccd1831ef32f9a4a6d512751057aa2d1 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    662,
 /**/
     661,
 /**/