patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
Commit:
https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241fc8633d93dff996b
Author: Yasuhiro Matsumoto <[email protected]>
Date: Tue Jun 16 20:32:21 2026 +0000
patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes()
Problem: [security]: a crafted spell file with a self-referential
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :spelldump
(cipher-creator)
Solution: only descend while depth < MAXWLEN - 1, as the sibling trie
walkers already do (Yasuhiro Matsumoto)
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h
Supported by AI
Signed-off-by: Yasuhiro Matsumoto <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/spell.c b/src/spell.c
index b48ee87b0..fddcdaa9f 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -4325,7 +4325,7 @@ dump_prefixes(
}
}
}
- else
+ else if (depth < MAXWLEN - 1)
{
// Normal char, go one level deeper.
prefix[depth++] = c;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index 3b7f727d8..b524cf60f 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1584,4 +1584,31 @@ func Test_suggest_spell_restore()
bwipe!
endfunc
+" A crafted .spl with a self-referential BY_INDEX node in the PREFIXTREE drove
+" dump_prefixes() past its MAXWLEN-sized depth arrays (stack out-of-bounds
+" write). The tree parses cleanly (shared refs aren't recursed); the walk
+" happens on :spelldump. Reaching the assert means no OOB. Same class as the
+" tree_count_words() fix (9.2.0653).
+func Test_spelldump_prefixtree_overflow()
+ CheckUnix
+ call mkdir('Xrtp/spell', 'pR')
+ " VIMspell + v50, SN_PREFCOND(prefixcnt=1), SN_END,
+ " LWORDTREE word "a" with affixID=1 (so dump_prefixes runs),
+ " empty KWORDTREE, PREFIXTREE child BY_INDEX -> nodeidx 0 (self-cycle), 'A'
+ let spl = eval('0z56494D7370656C6C32030000000003000100FF00000004'
+ \ .. '0161010220010000000000000002010100000041')
+ call writefile(spl, 'Xrtp/spell/xx.utf-8.spl', 'b')
+
+ new
+ set runtimepath+=./Xrtp
+ set spelllang=xx
+ set spell
+ spelldump
+ call assert_true(line('$') > 1)
+
+ set spell& spelllang& runtimepath&
+ bwipe!
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 9824f5891..770b0841c 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 662,
/**/
661,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1wZbMB-0017nq-LC%40256bit.org.
