Mercurial > vim
comparison src/undo.c @ 10978:f3d64d9e5d76 v8.0.0378
patch 8.0.0378: possible overflow when reading corrupted undo file
commit https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Feb 26 18:17:10 2017 +0100
patch 8.0.0378: possible overflow when reading corrupted undo file
Problem: Another possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 26 Feb 2017 18:30:04 +0100 |
parents | f97a72ad8ffa |
children | 778c10516955 |
comparison
equal
deleted
inserted
replaced
10977:0ef527d91f1f | 10978:f3d64d9e5d76 |
---|---|
1383 static u_entry_T * | 1383 static u_entry_T * |
1384 unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) | 1384 unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name) |
1385 { | 1385 { |
1386 int i; | 1386 int i; |
1387 u_entry_T *uep; | 1387 u_entry_T *uep; |
1388 char_u **array; | 1388 char_u **array = NULL; |
1389 char_u *line; | 1389 char_u *line; |
1390 int line_len; | 1390 int line_len; |
1391 | 1391 |
1392 uep = (u_entry_T *)U_ALLOC_LINE(sizeof(u_entry_T)); | 1392 uep = (u_entry_T *)U_ALLOC_LINE(sizeof(u_entry_T)); |
1393 if (uep == NULL) | 1393 if (uep == NULL) |
1400 uep->ue_bot = undo_read_4c(bi); | 1400 uep->ue_bot = undo_read_4c(bi); |
1401 uep->ue_lcount = undo_read_4c(bi); | 1401 uep->ue_lcount = undo_read_4c(bi); |
1402 uep->ue_size = undo_read_4c(bi); | 1402 uep->ue_size = undo_read_4c(bi); |
1403 if (uep->ue_size > 0) | 1403 if (uep->ue_size > 0) |
1404 { | 1404 { |
1405 array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); | 1405 if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) |
1406 array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); | |
1406 if (array == NULL) | 1407 if (array == NULL) |
1407 { | 1408 { |
1408 *error = TRUE; | 1409 *error = TRUE; |
1409 return uep; | 1410 return uep; |
1410 } | 1411 } |
1411 vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); | 1412 vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); |
1412 } | 1413 } |
1413 else | |
1414 array = NULL; | |
1415 uep->ue_array = array; | 1414 uep->ue_array = array; |
1416 | 1415 |
1417 for (i = 0; i < uep->ue_size; ++i) | 1416 for (i = 0; i < uep->ue_size; ++i) |
1418 { | 1417 { |
1419 line_len = undo_read_4c(bi); | 1418 line_len = undo_read_4c(bi); |