patch 8.0.0378: possible overflow when reading corrupted undo filev8.0.0378

Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)
author: Bram Moolenaar <Bram@vim.org> 2017-02-26 18:17:10 +0100
committer: Bram Moolenaar <Bram@vim.org> 2017-02-26 18:17:10 +0100
commit: 0c8485f0e4931463c0f7986e1ea84a7d79f10c75 (patch)
tree: a2150ee7dcde00d58ee21dfb653f45f09f5f9894 /src/undo.c
parent: 3eb1637b1bba19519885dd6d377bd5596e91d22c (diff)
download: vim-git-0c8485f0e4931463c0f7986e1ea84a7d79f10c75.tar.gz
1 files changed, 3 insertions, 4 deletions
diff --git a/src/undo.c b/src/undo.c
index ba7c0b83c..5b953795e 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
 {
     int		i;
     u_entry_T	*uep;
-    char_u	**array;
+    char_u	**array = NULL;
     char_u	*line;
     int		line_len;
 
@@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
     uep->ue_size = undo_read_4c(bi);
     if (uep->ue_size > 0)
     {
-	array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
+	if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
+	    array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
 	if (array == NULL)
 	{
 	    *error = TRUE;
@@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
 	}
 	vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
     }
-    else
-	array = NULL;
     uep->ue_array = array;
 
     for (i = 0; i < uep->ue_size; ++i)
author	Bram Moolenaar <Bram@vim.org>	2017-02-26 18:17:10 +0100
committer	Bram Moolenaar <Bram@vim.org>	2017-02-26 18:17:10 +0100
commit	0c8485f0e4931463c0f7986e1ea84a7d79f10c75 (patch)
tree	a2150ee7dcde00d58ee21dfb653f45f09f5f9894 /src/undo.c
parent	3eb1637b1bba19519885dd6d377bd5596e91d22c (diff)
download	vim-git-0c8485f0e4931463c0f7986e1ea84a7d79f10c75.tar.gz