From: Bram Moolenaar <Bram@vim.org>
Date: Fri, 10 Jul 2020 18:03:03 +0000 (+0200)
Subject: patch 8.2.1169: write NUL past allocated space using corrupted spell file
X-Git-Tag: v8.2.1169
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97d2f34c8763ab3a46c9f43284cc17bad3cf9568;p=thirdparty%2Fvim.git

patch 8.2.1169: write NUL past allocated space using corrupted spell file

Problem:    Write NUL past allocated space using corrupted spell file.
            (Markus Vervier)
Solution:   Init "c" every time.
---

diff --git a/src/spellfile.c b/src/spellfile.c
index fc365e2a03..8a029dc719 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -993,7 +993,6 @@ read_sal_section(FILE *fd, slang_T *slang)
     salitem_T	*smp;
     int		ccnt;
     char_u	*p;
-    int		c = NUL;
 
     slang->sl_sofo = FALSE;
 
@@ -1017,6 +1016,8 @@ read_sal_section(FILE *fd, slang_T *slang)
     // <sal> : <salfromlen> <salfrom> <saltolen> <salto>
     for (; gap->ga_len < cnt; ++gap->ga_len)
     {
+	int	c = NUL;
+
 	smp = &((salitem_T *)gap->ga_data)[gap->ga_len];
 	ccnt = getc(fd);			// <salfromlen>
 	if (ccnt < 0)
diff --git a/src/version.c b/src/version.c
index 0b31e54b0a..88bd908c65 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1169,
 /**/
     1168,
 /**/