To: vim_dev@googlegroups.com
Subject: Patch 9.0.0021
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 9.0.0021
Problem:    Invalid memory access when adding word with a control character to
            the internal spell word list.
Solution:   Disallow adding a word with control characters or a trailing
            slash.
Files:      src/spellfile.c, src/testdir/test_spell.vim


*** ../vim-9.0.0020/src/spellfile.c	2022-05-08 22:17:57.000000000 +0100

--- src/spellfile.c	2022-07-01 22:24:54.847885846 +0100
***************
*** 4367,4372 ****
--- 4367,4389 ----
  }
  
  /*
+  * Return TRUE if "word" contains valid word characters.
+  * Control characters and trailing '/' are invalid.  Space is OK.
+  */
+     static int
+ valid_spell_word(char_u *word)
+ {
+     char_u *p;
+ 
+     if (enc_utf8 && !utf_valid_string(word, NULL))
+ 	return FALSE;
+     for (p = word; *p != NUL; p += mb_ptr2len(p))
+ 	if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
+ 	    return FALSE;
+     return TRUE;
+ }
+ 
+ /*
   * Store a word in the tree(s).
   * Always store it in the case-folded tree.  For a keep-case word this is
   * useful when the word can also be used with all caps (no WF_FIXCAP flag) and
***************
*** 4391,4397 ****
      char_u	*p;
  
      // Avoid adding illegal bytes to the word tree.
!     if (enc_utf8 && !utf_valid_string(word, NULL))
  	return FAIL;
  
      (void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
--- 4408,4414 ----
      char_u	*p;
  
      // Avoid adding illegal bytes to the word tree.
!     if (!valid_spell_word(word))
  	return FAIL;
  
      (void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
***************
*** 6194,6200 ****
      int		i;
      char_u	*spf;
  
!     if (enc_utf8 && !utf_valid_string(word, NULL))
      {
  	emsg(_(e_illegal_character_in_word));
  	return;
--- 6211,6217 ----
      int		i;
      char_u	*spf;
  
!     if (!valid_spell_word(word))
      {
  	emsg(_(e_illegal_character_in_word));
  	return;
*** ../vim-9.0.0020/src/testdir/test_spell.vim	2022-06-18 14:05:09.000000000 +0100
--- src/testdir/test_spell.vim	2022-07-01 22:06:55.820111846 +0100
***************
*** 854,859 ****
--- 854,874 ----
    bwipe!
  endfunc
  
+ func Test_spell_good_word_invalid()
+   " This was adding a word with a 0x02 byte, which causes havoc.
+   enew
+   norm o0
+   sil! norm rzzWs00/
+   2
+   sil! norm VzGprzzW
+   sil! norm z=
+ 
+   bwipe!
+   " clear the internal word list
+   set enc=latin1
+   set enc=utf-8
+ endfunc
+ 
  func LoadAffAndDic(aff_contents, dic_contents)
    set enc=latin1
    set spellfile=
*** ../vim-9.0.0020/src/version.c	2022-07-01 19:58:27.161837285 +0100
--- src/version.c	2022-07-01 22:08:30.044140558 +0100
***************
*** 737,738 ****
--- 737,740 ----
  {   /* Add new patch number below this line */
+ /**/
+     21,
  /**/

-- 
hundred-and-one symptoms of being an internet addict:
37. You start looking for hot HTML addresses in public restrooms.

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///