patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Commit:
https://github.com/vim/vim/commit/276920e138c276ffb1e6d5ec56879056a419453c
Author: Devon Kirk <[email protected]>
Date: Fri Jun 12 10:10:50 2026 +0000
patch 9.2.0623: possible integer overflow in spellfile tree bounds check
Problem: possible integer overflow in spellfile tree bounds check
Solution: Rewrite the overflow check (Devon Krik)
The check 'startidx + len >= maxidx' uses signed int addition and can
overflow when startidx approaches INT_MAX. After overflow the wrapped
result bypasses the guard, allowing the subsequent loop to write
idxs[startidx + i] out of bounds on the heap.
Replace the addition with a safe subtractive check that maintains the
original >= semantics: len >= maxidx - startidx cannot overflow because
both operands are valid indices within [0, maxidx].
This fixes CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based
Buffer Overflow).
closes: #20483
Signed-off-by: Devon Kirk <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/spellfile.c b/src/spellfile.c
index 8a373f343..c1e15e976 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1670,7 +1670,7 @@ read_tree_node(
if (len <= 0)
return SP_TRUNCERROR;
- if (startidx + len >= maxidx)
+ if (len >= maxidx - startidx)
return SP_FORMERROR;
byts[idx++] = len;
diff --git a/src/version.c b/src/version.c
index 57bd82493..b798c6348 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 623,
/**/
622,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1wXyun-00B8Cn-44%40256bit.org.
