patch 9.0.0021: invalid memory access when adding word to spell word listv9.0.0021

Problem: Invalid memory access when adding word with a control character to the internal spell word list. Solution: Disallow adding a word with control characters or a trailing slash.
author: Bram Moolenaar <Bram@vim.org> 2022-07-01 22:26:20 +0100
committer: Bram Moolenaar <Bram@vim.org> 2022-07-01 22:26:20 +0100
commit: 5e59ea54c0c37c2f84770f068d95280069828774 (patch)
tree: 09f0c34da420d6aff84c745647201844c15fcfab
parent: f12129f1714f7d2301935bb21d896609bdac221c (diff)
3 files changed, 36 insertions, 2 deletions
diff --git a/src/spellfile.c b/src/spellfile.c
index f0d6d96a47..4a0de5237f 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -4367,6 +4367,23 @@ wordtree_alloc(spellinfo_T *spin)
 }
 
 /*
+ * Return TRUE if "word" contains valid word characters.
+ * Control characters and trailing '/' are invalid.  Space is OK.
+ */
+    static int
+valid_spell_word(char_u *word)
+{
+    char_u *p;
+
+    if (enc_utf8 && !utf_valid_string(word, NULL))
+	return FALSE;
+    for (p = word; *p != NUL; p += mb_ptr2len(p))
+	if (*p < ' ' || (p[0] == '/' && p[1] == NUL))
+	    return FALSE;
+    return TRUE;
+}
+
+/*
  * Store a word in the tree(s).
  * Always store it in the case-folded tree.  For a keep-case word this is
  * useful when the word can also be used with all caps (no WF_FIXCAP flag) and
@@ -4391,7 +4408,7 @@ store_word(
     char_u	*p;
 
     // Avoid adding illegal bytes to the word tree.
-    if (enc_utf8 && !utf_valid_string(word, NULL))
+    if (!valid_spell_word(word))
 	return FAIL;
 
     (void)spell_casefold(curwin, word, len, foldword, MAXWLEN);
@@ -6194,7 +6211,7 @@ spell_add_word(
     int		i;
     char_u	*spf;
 
-    if (enc_utf8 && !utf_valid_string(word, NULL))
+    if (!valid_spell_word(word))
     {
 	emsg(_(e_illegal_character_in_word));
 	return;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 0fd5ed9178..0187a175a8 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -854,6 +854,21 @@ func Test_spellsuggest_too_deep()
   bwipe!
 endfunc
 
+func Test_spell_good_word_invalid()
+  " This was adding a word with a 0x02 byte, which causes havoc.
+  enew
+  norm o0
+  sil! norm rzzWs00/
+  2
+  sil! norm VzGprzzW
+  sil! norm z=
+
+  bwipe!
+  " clear the internal word list
+  set enc=latin1
+  set enc=utf-8
+endfunc
+
 func LoadAffAndDic(aff_contents, dic_contents)
   set enc=latin1
   set spellfile=
diff --git a/src/version.c b/src/version.c
index 26cb768a82..23798ee560 100644
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    21,
+/**/
     20,
 /**/
     19,
author	Bram Moolenaar <Bram@vim.org>	2022-07-01 22:26:20 +0100
committer	Bram Moolenaar <Bram@vim.org>	2022-07-01 22:26:20 +0100
commit	5e59ea54c0c37c2f84770f068d95280069828774 (patch)
tree	09f0c34da420d6aff84c745647201844c15fcfab
parent	f12129f1714f7d2301935bb21d896609bdac221c (diff)