To: vim_dev@googlegroups.com
Subject: Patch 8.2.5072
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 8.2.5072
Problem:    Using uninitialized value and freed memory in spell command.
Solution:   Initialize "attr".  Check for empty line early.
Files:      src/spell.c, src/testdir/test_spell_utf8.vim


*** ../vim-8.2.5071/src/spell.c	2022-05-20 14:10:45.324929965 +0100
--- src/spell.c	2022-06-09 19:53:29.204112786 +0100
***************
*** 1275,1281 ****
      char_u	*line;
      char_u	*p;
      char_u	*endp;
!     hlf_T	attr;
      int		len;
  #ifdef FEAT_SYN_HL
      int		has_syntax = syntax_present(wp);
--- 1275,1281 ----
      char_u	*line;
      char_u	*p;
      char_u	*endp;
!     hlf_T	attr = 0;
      int		len;
  #ifdef FEAT_SYN_HL
      int		has_syntax = syntax_present(wp);
***************
*** 1308,1313 ****
--- 1308,1315 ----
  
      while (!got_int)
      {
+ 	int empty_line;
+ 
  	line = ml_get_buf(wp->w_buffer, lnum, FALSE);
  
  	len = (int)STRLEN(line);
***************
*** 1340,1346 ****
  	}
  
  	// Copy the line into "buf" and append the start of the next line if
! 	// possible.
  	STRCPY(buf, line);
  	if (lnum < wp->w_buffer->b_ml.ml_line_count)
  	    spell_cat_line(buf + STRLEN(buf),
--- 1342,1350 ----
  	}
  
  	// Copy the line into "buf" and append the start of the next line if
! 	// possible.  Note: this ml_get_buf() may make "line" invalid, check
! 	// for empty line first.
! 	empty_line = *skipwhite(line) == NUL;
  	STRCPY(buf, line);
  	if (lnum < wp->w_buffer->b_ml.ml_line_count)
  	    spell_cat_line(buf + STRLEN(buf),
***************
*** 1487,1493 ****
  	    --capcol;
  
  	    // But after empty line check first word in next line
! 	    if (*skipwhite(line) == NUL)
  		capcol = 0;
  	}
  
--- 1491,1497 ----
  	    --capcol;
  
  	    // But after empty line check first word in next line
! 	    if (empty_line)
  		capcol = 0;
  	}
  
*** ../vim-8.2.5071/src/testdir/test_spell_utf8.vim	2022-05-23 12:01:10.937519982 +0100
--- src/testdir/test_spell_utf8.vim	2022-06-09 19:49:50.030340909 +0100
***************
*** 802,806 ****
--- 802,821 ----
    call delete('Xtmpfile')
  endfunc
  
+ func Test_check_empty_line()
+   " This was using freed memory
+   enew
+   spellgood! fl
+   norm z=
+   norm yy
+   sil! norm P]svc
+   norm P]s
+ 
+   " set 'encoding' to clear the wordt list
+   set enc=latin1
+   set enc=utf-8
+   bwipe!
+ endfunc
+ 
  
  " vim: shiftwidth=2 sts=2 expandtab
*** ../vim-8.2.5071/src/version.c	2022-06-09 14:50:05.597785001 +0100
--- src/version.c	2022-06-09 19:20:44.454738354 +0100
***************
*** 736,737 ****
--- 736,739 ----
  {   /* Add new patch number below this line */
+ /**/
+     5072,
  /**/

-- 
   Arthur pulls Pin out.  The MONK blesses the grenade as ...
ARTHUR:  (quietly) One, two, five ...
GALAHAD: Three, sir!
ARTHUR:  Three.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///