git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Wed, 6 May 2026 18:50:00 +0000 (20:50 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Thu, 7 May 2026 18:49:53 +0000 (18:49 +0000)
commit	92993329178cb1f72d700fff45ca86e1c2d369f8
tree	cd57a7339aa30415a3c84a45092521983ad2625d	tree \| snapshot
parent	4cbdef8e30cd5da5d3a0941ab88bf082b0b1e164	commit \| diff

patch 9.2.0450: [security]: heap buffer overflow in spellfile.c read_compound()

Problem:  read_compound() in spellfile.c computes the size of the regex
          pattern buffer using signed-int arithmetic on the attacker
          controlled SN_COMPOUND sectionlen.  With sectionlen=0x40000008
          and UTF-8 encoding active the multiplication wraps to 27 while
          the per-byte loop writes up to ~1B bytes, overflowing the heap.
          Reachable when loading a crafted .spl file (e.g. via 'set spell'
          after a modeline sets 'spelllang').  The cp/ap/crp allocations
          have the same int + 1 overflow class (Daniel Cervera)
Solution: Use type size_t as buffer size and reject values larger than
          COMPOUND_MAX_LEN (100000).  Apply the same size_t treatment to
          the cp/ap/crp allocations.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/spellfile.c		diff \| blob \| blame \| history
src/testdir/test_spellfile.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history