To: vim_dev@googlegroups.com
Subject: Patch 9.0.0109
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 9.0.0109
Problem:    Writing over the end of a buffer on stack when making list of
            spell suggestions.
Solution:   Make sure suggested word is not too long. (closes #10812)
Files:      src/spellsuggest.c, src/testdir/test_spell_utf8.vim


*** ../vim-9.0.0108/src/spellsuggest.c	2022-06-18 14:06:36.000000000 +0100
--- src/spellsuggest.c	2022-07-30 11:38:39.906523544 +0100
***************
*** 592,606 ****
  	msg_scroll = TRUE;
  	for (i = 0; i < sug.su_ga.ga_len; ++i)
  	{
  	    stp = &SUG(sug.su_ga, i);
  
  	    // The suggested word may replace only part of the bad word, add
! 	    // the not replaced part.
  	    vim_strncpy(wcopy, stp->st_word, MAXWLEN);
! 	    if (sug.su_badlen > stp->st_orglen)
  		vim_strncpy(wcopy + stp->st_wordlen,
! 					       sug.su_badptr + stp->st_orglen,
! 					      sug.su_badlen - stp->st_orglen);
  	    vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
  #ifdef FEAT_RIGHTLEFT
  	    if (cmdmsg_rl)
--- 592,608 ----
  	msg_scroll = TRUE;
  	for (i = 0; i < sug.su_ga.ga_len; ++i)
  	{
+ 	    int el;
+ 
  	    stp = &SUG(sug.su_ga, i);
  
  	    // The suggested word may replace only part of the bad word, add
! 	    // the not replaced part.  But only when it's not getting too long.
  	    vim_strncpy(wcopy, stp->st_word, MAXWLEN);
! 	    el = sug.su_badlen - stp->st_orglen;
! 	    if (el > 0 && stp->st_wordlen + el <= MAXWLEN)
  		vim_strncpy(wcopy + stp->st_wordlen,
! 					   sug.su_badptr + stp->st_orglen, el);
  	    vim_snprintf((char *)IObuff, IOSIZE, "%2d", i + 1);
  #ifdef FEAT_RIGHTLEFT
  	    if (cmdmsg_rl)
*** ../vim-9.0.0108/src/testdir/test_spell_utf8.vim	2022-07-04 11:03:03.548044326 +0100
--- src/testdir/test_spell_utf8.vim	2022-07-30 11:36:40.346361471 +0100
***************
*** 819,823 ****
--- 819,831 ----
    bwipe!
  endfunc
  
+ func Test_spell_suggest_too_long()
+   " this was creating a word longer than MAXWLEN
+   new
+   call setline(1, 'a' .. repeat("\u0333", 150))
+   norm! z=
+   bwipe!
+ endfunc
+ 
  
  " vim: shiftwidth=2 sts=2 expandtab
*** ../vim-9.0.0108/src/version.c	2022-07-30 11:00:46.553396706 +0100
--- src/version.c	2022-07-30 11:39:45.010612826 +0100
***************
*** 737,738 ****
--- 737,740 ----
  {   /* Add new patch number below this line */
+ /**/
+     109,
  /**/

-- 
% cat /usr/include/sys/errno.h
#define	EPERM		1		/* Operation not permitted */
#define	ENOENT		2		/* No such file or directory */
#define	ESRCH		3		/* No such process */
[...]
#define EMACS		666		/* Too many macros */
%

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///