Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
patch 8.2.5072: using uninitialized value and freed memory in spell c…
…ommand

Problem:    Using uninitialized value and freed memory in spell command.
Solution:   Initialize "attr".  Check for empty line early.
  • Loading branch information
brammool committed Jun 9, 2022
1 parent f5465ff commit 2813f38
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 3 deletions.
10 changes: 7 additions & 3 deletions src/spell.c
Expand Up @@ -1275,7 +1275,7 @@ spell_move_to(
char_u *line;
char_u *p;
char_u *endp;
hlf_T attr;
hlf_T attr = 0;
int len;
#ifdef FEAT_SYN_HL
int has_syntax = syntax_present(wp);
Expand Down Expand Up @@ -1308,6 +1308,8 @@ spell_move_to(

while (!got_int)
{
int empty_line;

line = ml_get_buf(wp->w_buffer, lnum, FALSE);

len = (int)STRLEN(line);
Expand Down Expand Up @@ -1340,7 +1342,9 @@ spell_move_to(
}

// Copy the line into "buf" and append the start of the next line if
// possible.
// possible. Note: this ml_get_buf() may make "line" invalid, check
// for empty line first.
empty_line = *skipwhite(line) == NUL;
STRCPY(buf, line);
if (lnum < wp->w_buffer->b_ml.ml_line_count)
spell_cat_line(buf + STRLEN(buf),
Expand Down Expand Up @@ -1487,7 +1491,7 @@ spell_move_to(
--capcol;

// But after empty line check first word in next line
if (*skipwhite(line) == NUL)
if (empty_line)
capcol = 0;
}

Expand Down
15 changes: 15 additions & 0 deletions src/testdir/test_spell_utf8.vim
Expand Up @@ -802,5 +802,20 @@ func Test_word_index()
call delete('Xtmpfile')
endfunc

func Test_check_empty_line()
" This was using freed memory
enew
spellgood!
norm z=
norm yy
sil! norm P]svc
norm P]s

" set 'encoding' to clear the wordt list
set enc=latin1
set enc=utf-8
bwipe!
endfunc


" vim: shiftwidth=2 sts=2 expandtab
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -734,6 +734,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
5072,
/**/
5071,
/**/
Expand Down

0 comments on commit 2813f38

Please sign in to comment.