Mercurial > vim

changeset 10865:1a18c0f93ffa v8.0.0322

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.0322: possible overflow with corrupted spell file commit https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d Author: Bram Moolenaar <Bram@vim.org> Date: Thu Feb 9 21:07:12 2017 +0100 patch 8.0.0322: possible overflow with corrupted spell file Problem: Possible overflow with spell file where the tree length is corrupted. Solution: Check for an invalid length (suggested by shqking)
author Christian Brabandt <cb@256bit.org>
date Thu, 09 Feb 2017 21:15:04 +0100
parents 49b0c44264a1
children f1f942860806
files src/spellfile.c src/version.c
diffstat 2 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */
--- a/src/version.c
+++ b/src/version.c
@@ -765,6 +765,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    322,
+/**/
     321,
 /**/
     320,