Mercurial > vim
changeset 10976:f97a72ad8ffa v8.0.0377
patch 8.0.0377: possible overflow when reading corrupted undo file
commit https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Feb 26 18:11:36 2017 +0100
patch 8.0.0377: possible overflow when reading corrupted undo file
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 26 Feb 2017 18:15:04 +0100 |
parents | 67a025a62042 |
children | 0ef527d91f1f |
files | src/undo.c src/version.c |
diffstat | 2 files changed, 5 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/undo.c +++ b/src/undo.c @@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, linenr_T line_lnum; colnr_T line_colnr; linenr_T line_count; - int num_head = 0; + long num_head = 0; long old_header_seq, new_header_seq, cur_header_seq; long seq_last, seq_cur; long last_save_nr = 0; @@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, * When there are no headers uhp_table is NULL. */ if (num_head > 0) { - uhp_table = (u_header_T **)U_ALLOC_LINE( + if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) + uhp_table = (u_header_T **)U_ALLOC_LINE( num_head * sizeof(u_header_T *)); if (uhp_table == NULL) goto error;