The `dump_prefixes()` function in `src/spell.c` walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed `MAXWLEN`-element stack arrays it indexes (`prefix[]`, `arridx[]`, `curi[]`). A crafted `.spl` file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. `dump_prefixes()` is called from `spell_dump_compl()` when the word list is dumped, for example on `:spelldump` or via spelling completion. For each node it descends one level with: ```C else { prefix[depth++] = c; arridx[depth] = idxs[n]; curi[depth] = 1; } ``` The arrays have `MAXWLEN` (254) elements, so any `depth` of 254 or more writes out of bounds; a second sink underflows a `size_t` length passed to `vim_strncpy()` once `depth` reaches `MAXWLEN`. In a well-formed file each trie level corresponds to one byte of a prefix, so depth is naturally limited, but the reader does not enforce this for shared subtrees: a `BY_INDEX` shared reference is accepted (its target index is range-checked) and is *not* recursed into. A prefix trie that uses a shared reference to point back to an ancestor or itself therefore parses cleanly while driving the iterative walker past `MAXWLEN`. This is the same class of issue as [GHSA-wgh4-64f7-q3jq]( https://github.com/vim/vim/security/advisories/GHSA-wgh4-64f7-q3jq ) (`tree_count_words()`, fixed in 9.2.0653) in a sibling trie walker that was left unguarded. A spell file is normally inert data, but Vim resolves `spelllang`, `spellfile`, and `runtimepath` to load it, so a repository or archive that ships a malicious `spell/` sidecar can deliver the crafted file. The trigger is user-interaction-gated: spell checking must be enabled and the user must dump the word list. When that happens, the out-of-bounds write corrupts the `dump_prefixes()` stack frame.
| Vendor | Product | Versions |
|---|---|---|
| vim | vim | < 9.2.0597, < 9.2.561, < 9.2.597, < 9.2.0653, < 9.2.0662, < 9.2.0663 |
Updated description with technical details, changed severity to MEDIUM, added affected version < 9.2.0662, and updated patch to 9.2.0662.
Updated description with critical severity and added affected version < 9.2.596.
Initial creation
