vim/backport-CVE-2022-2304.patch

From 54e5fed6d27b747ff152cdb6edfb72ff60e70939 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 4 Jul 2022 13:37:07 +0100
Subject: [PATCH] patch 9.0.0035: spell dump may go beyond end of an array

Problem:    Spell dump may go beyond end of an array.
Solution:   Limit the word length.
---
 src/spell.c                |  5 +++--
 src/testdir/test_spell.vim | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/spell.c b/src/spell.c
index 5b25950..1d7a1ae 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -3958,9 +3958,10 @@ spell_dump_compl(
 		    n = arridx[depth] + curi[depth];
 		    ++curi[depth];
 		    c = byts[n];
-		    if (c == 0)
+		    if (c == 0 || depth >= MAXWLEN - 1)
 		    {
-			// End of word, deal with the word.
+			// End of word or reached maximum length, deal with the
+			// word.
 			// Don't use keep-case words in the fold-case tree,
 			// they will appear in the keep-case tree.
 			// Only use the word when the region matches.
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index ff50ecd..1f79907 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -141,6 +141,18 @@ func Test_spellreall()
   bwipe!
 endfunc
 
+func Test_spell_dump_word_length()
+  " this was running over MAXWLEN
+  new
+  noremap 0 0a0zW0000000
+  sil! norm 0z=0
+  sil norm 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+  sil! norm 0z=0
+
+  bwipe!
+  nunmap 0
+endfunc
+
 func Test_spellsuggest_visual_end_of_line()
   let enc_save = &encoding
   set encoding=iso8859
-- 
1.8.3.1