From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Tue, 16 Jun 2026 20:32:21 +0000 (+0000)
Subject: patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
X-Git-Tag: v9.2.0662^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8325b193bba5f01e7a7d8241fc8633d93dff996b;p=thirdparty%2Fvim.git

patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()

Problem:  [security]: a crafted spell file with a self-referential
          BY_INDEX node in the prefix tree can drive dump_prefixes()
          past the end of its MAXWLEN-sized depth arrays on :spelldump
          (cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
          walkers already do (Yasuhiro Matsumoto)

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h

Supported by AI

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/spell.c b/src/spell.c
index b48ee87b03..fddcdaa9f0 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -4325,7 +4325,7 @@ dump_prefixes(
 			}
 		    }
 		}
-		else
+		else if (depth < MAXWLEN - 1)
 		{
 		    // Normal char, go one level deeper.
 		    prefix[depth++] = c;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 3b7f727d80..b524cf60fc 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1584,4 +1584,31 @@ func Test_suggest_spell_restore()
   bwipe!
 endfunc
 
+" A crafted .spl with a self-referential BY_INDEX node in the PREFIXTREE drove
+" dump_prefixes() past its MAXWLEN-sized depth arrays (stack out-of-bounds
+" write).  The tree parses cleanly (shared refs aren't recursed); the walk
+" happens on :spelldump.  Reaching the assert means no OOB.  Same class as the
+" tree_count_words() fix (9.2.0653).
+func Test_spelldump_prefixtree_overflow()
+  CheckUnix
+  call mkdir('Xrtp/spell', 'pR')
+  " VIMspell + v50, SN_PREFCOND(prefixcnt=1), SN_END,
+  " LWORDTREE word "a" with affixID=1 (so dump_prefixes runs),
+  " empty KWORDTREE, PREFIXTREE child BY_INDEX -> nodeidx 0 (self-cycle), 'A'
+  let spl = eval('0z56494D7370656C6C32030000000003000100FF00000004'
+        \ .. '0161010220010000000000000002010100000041')
+  call writefile(spl, 'Xrtp/spell/xx.utf-8.spl', 'b')
+
+  new
+  set runtimepath+=./Xrtp
+  set spelllang=xx
+  set spell
+  spelldump
+  call assert_true(line('$') > 1)
+
+  set spell& spelllang& runtimepath&
+  bwipe!
+  bwipe!
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 9824f5891c..770b0841cc 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    662,
 /**/
     661,
 /**/