Mercurial > vim
changeset 10978:f3d64d9e5d76 v8.0.0378
patch 8.0.0378: possible overflow when reading corrupted undo file
commit https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Feb 26 18:17:10 2017 +0100
patch 8.0.0378: possible overflow when reading corrupted undo file
Problem: Another possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 26 Feb 2017 18:30:04 +0100 |
parents | 0ef527d91f1f |
children | cb1c85dc01d3 |
files | src/undo.c src/version.c |
diffstat | 2 files changed, 5 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/undo.c +++ b/src/undo.c @@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *erro { int i; u_entry_T *uep; - char_u **array; + char_u **array = NULL; char_u *line; int line_len; @@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *erro uep->ue_size = undo_read_4c(bi); if (uep->ue_size > 0) { - array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); + if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) + array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); if (array == NULL) { *error = TRUE; @@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *erro } vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); } - else - array = NULL; uep->ue_array = array; for (i = 0; i < uep->ue_size; ++i)