git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Thu, 9 Apr 2026 22:27:36 +0000 (22:27 +0000)
committer	Christian Brabandt <cb@256bit.org>
	Thu, 9 Apr 2026 22:27:36 +0000 (22:27 +0000)
commit	07faa961a05bc5ea007ab70ff483ea1b32c3371d
tree	2115bc9843547b13063b5005b3e3d0d87c815ab4	tree \| snapshot
parent	2fbc69c9adbaac5cd33d30a3ccbcb9b3f40eba41	commit \| diff

patch 9.2.0331: spellfile: stack buffer overflows in spell file generation

Problem:  spell_read_aff() uses sprintf() into a fixed-size stack buffer
          without bounds checking. store_aff_word() uses STRCAT() to
          append attacker-controlled strings into newword[MAXWLEN] without
          checking remaining space. Both are reachable via :mkspell with
          crafted .aff/.dic files (xinyi234)
Solution: Replace sprintf() with vim_snprintf() in spell_read_aff().
          Replace STRCAT() with STRNCAT() with explicit remaining-space
          calculation in store_aff_word().

closes: #19944

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/spellfile.c		diff \| blob \| blame \| history
src/testdir/test_spellfile.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history