vim-patch:9.0.2141: [security]: buffer-overflow in suggest_trie_walk

Problem:  [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array

Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.

Reported by @henices, thanks!

0fb375aae6

Co-authored-by: Christian Brabandt <cb@256bit.org>

src/nvim/spellsuggest.c

@@ -1941,6 +1941,12 @@ static void suggest_trie_walk(suginfo_T *su, langp_T *lp, char *fword, bool soun
       // - Skip the byte if it's equal to the byte in the word,
       //   accepting that byte is always better.
       n += sp->ts_curi++;
+
+      // break out, if we would be accessing byts buffer out of bounds
+      if (byts == slang->sl_fbyts && n >= slang->sl_fbyts_len) {
+        got_int = true;
+        break;
+      }
       c = byts[n];
       if (soundfold && sp->ts_twordlen == 0 && c == '*') {
         // Inserting a vowel at the start of a word counts less,

test/old/testdir/test_crash.vim

@@ -135,6 +135,13 @@ func Test_crash1_2()
     \ '  && echo "crash 2: [OK]" >> '.. result .. "\<cr>")
   call TermWait(buf, 350)
 
+  let file = 'crash/poc_suggest_trie_walk'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 3: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
 
@@ -143,6 +150,7 @@ func Test_crash1_2()
   let expected = [
       \ 'crash 1: [OK]',
       \ 'crash 2: [OK]',
+      \ 'crash 3: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))