vim: src/undo.c comparison

comparison src/undo.c @ 10976:f97a72ad8ffa v8.0.0377

patch 8.0.0377: possible overflow when reading corrupted undo file commit https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c Author: Bram Moolenaar <Bram@vim.org> Date: Sun Feb 26 18:11:36 2017 +0100 patch 8.0.0377: possible overflow when reading corrupted undo file Problem: Possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)

author	Christian Brabandt <cb@256bit.org>
date	Sun, 26 Feb 2017 18:15:04 +0100
parents	cbf17371627c
children	f3d64d9e5d76

comparison

equal deleted inserted replaced

-:67a025a62042
+:f97a72ad8ffa
 long	version, str_len;
 char_u	*line_ptr = NULL;
 linenr_T	line_lnum;
 colnr_T	line_colnr;
 linenr_T	line_count;
-int		num_head = 0;
+long	num_head = 0;
 long	old_header_seq, new_header_seq, cur_header_seq;
 long	seq_last, seq_cur;
 long	last_save_nr = 0;
 short	old_idx = -1, new_idx = -1, cur_idx = -1;
 long	num_read_uhps = 0;
 * until we insert them into curbuf. The table remains sorted by the
 * sequence numbers of the headers.
 * When there are no headers uhp_table is NULL. */
 if (num_head > 0)
 {
-	uhp_table = (u_header_T **)U_ALLOC_LINE(
+	if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
+	    uhp_table = (u_header_T **)U_ALLOC_LINE(
 					     num_head * sizeof(u_header_T *));
 	if (uhp_table == NULL)
 	    goto error;
 }

Mercurial > vim

comparison src/undo.c @ 10976:f97a72ad8ffa v8.0.0377