vim: src/undo.c comparison

comparison src/undo.c @ 10978:f3d64d9e5d76 v8.0.0378

patch 8.0.0378: possible overflow when reading corrupted undo file commit https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Feb 26 18:17:10 2017 +0100 patch 8.0.0378: possible overflow when reading corrupted undo file Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)

author	Christian Brabandt <cb@256bit.org>
date	Sun, 26 Feb 2017 18:30:04 +0100
parents	f97a72ad8ffa
children	778c10516955

comparison

equal deleted inserted replaced

-:0ef527d91f1f
+:f3d64d9e5d76
 static u_entry_T *
 unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
 {
 int		i;
 u_entry_T	*uep;
-char_u	**array;
+char_u	**array = NULL;
 char_u	*line;
 int		line_len;
 uep = (u_entry_T *)U_ALLOC_LINE(sizeof(u_entry_T));
 if (uep == NULL)
 uep->ue_bot = undo_read_4c(bi);
 uep->ue_lcount = undo_read_4c(bi);
 uep->ue_size = undo_read_4c(bi);
 if (uep->ue_size > 0)
 {
-	array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
+	if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
+	    array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
 	if (array == NULL)
 	{
 	    *error = TRUE;
 	    return uep;
 	}
 	vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
 }
-else
-	array = NULL;
 uep->ue_array = array;
 for (i = 0; i < uep->ue_size; ++i)
 {
 	line_len = undo_read_4c(bi);

Mercurial > vim

comparison src/undo.c @ 10978:f3d64d9e5d76 v8.0.0378