From: Christian Brabandt <cb@256bit.org>
Date: Sun, 21 Jun 2026 19:20:03 +0000 (+0000)
Subject: patch 9.2.0698: [security]: Out-of-bounds write with soundfold()
X-Git-Tag: v9.2.0698^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=497f931f85339d175d7f69588dd249e8ccfed41b;p=thirdparty%2Fvim.git

patch 9.2.0698: [security]: Out-of-bounds write with soundfold()

Problem:  [security]: Out-of-bounds write with soundfold()
          (cipher-creator)
Solution: Add an abort condition to the for loop to validate the buffer
          size.

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q8mh-6qm3-25g4

Supported by AI

Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/spell.c b/src/spell.c
index fddcdaa9f0..96700782ef 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3270,7 +3270,7 @@ spell_soundfold_sofo(slang_T *slang, char_u *inword, char_u *res)
     else
     {
 	// The sl_sal_first[] table contains the translation.
-	for (s = inword; (c = *s) != NUL; ++s)
+	for (s = inword; (c = *s) != NUL && ri < MAXWLEN - 1; ++s)
 	{
 	    if (VIM_ISWHITE(c))
 		c = ' ';
diff --git a/src/testdir/test_spellfile.vim b/src/testdir/test_spellfile.vim
index 10d9161ac6..9ec728a768 100644
--- a/src/testdir/test_spellfile.vim
+++ b/src/testdir/test_spellfile.vim
@@ -1274,4 +1274,25 @@ func Test_spell_sug_tree_count_words_overflow()
   bwipe!
 endfunc
 
+" A word longer than MAXWLEN must not overflow the soundfold result buffer in
+" the single-byte SOFO branch of spell_soundfold_sofo().
+func Test_soundfold_overflow()
+  let _enc=&enc
+  set enc=latin1
+  call writefile(['SOFOFROM ab', 'SOFOTO xy'], 'Xtest.aff', 'D')
+  call writefile(['1', 'foo'], 'Xtest.dic', 'D')
+  mkspell! Xtest Xtest
+  defer delete('Xtest.latin1.spl')
+  defer delete('Xtest.latin1.sug')
+  setl spelllang=Xtest.latin1.spl spell
+
+  " Before the fix the copy loop wrote one byte per input byte into a
+  " MAXWLEN (254) stack buffer with no upper bound, smashing the stack.
+  let sound = soundfold(repeat('ab', 300))
+  call assert_true(strlen(sound) < 254, 'soundfold result exceeds MAXWLEN')
+
+  set spell& spelllang&
+  let &enc = _enc
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index f8268b842e..336707f7f7 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    698,
 /**/
     697,
 /**/