diff options
author | Bram Moolenaar <Bram@vim.org> | 2017-02-09 21:07:12 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2017-02-09 21:07:12 +0100 |
commit | 399c297aa93afe2c0a39e2a1b3f972aebba44c9d (patch) | |
tree | f9175f98e1893debeaaaa62f4bd11be1c3baa7e4 | |
parent | 8cc2a9c062fa38e133a62778518f769a423a2526 (diff) | |
download | vim-git-399c297aa93afe2c0a39e2a1b3f972aebba44c9d.tar.gz |
patch 8.0.0322: possible overflow with corrupted spell filev8.0.0322
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
-rw-r--r-- | src/spellfile.c | 3 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 5 insertions, 0 deletions
diff --git a/src/spellfile.c b/src/spellfile.c index c7d87c6c7..8b1a3a633 100644 --- a/src/spellfile.c +++ b/src/spellfile.c @@ -1595,6 +1595,9 @@ spell_read_tree( len = get4c(fd); if (len < 0) return SP_TRUNCERROR; + if (len >= 0x3ffffff) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) { /* Allocate the byte array. */ diff --git a/src/version.c b/src/version.c index 7a3d21513..c1a5186ba 100644 --- a/src/version.c +++ b/src/version.c @@ -765,6 +765,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 322, +/**/ 321, /**/ 320, |