diff options
author | Bram Moolenaar <Bram@vim.org> | 2017-02-26 18:11:36 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2017-02-26 18:11:36 +0100 |
commit | 3eb1637b1bba19519885dd6d377bd5596e91d22c (patch) | |
tree | 987e404cc32bf438d5e6c9939862c5cc7e0dddca /src/undo.c | |
parent | 6d3c8586fc81b022e9f06c611b9926108fb878c7 (diff) | |
download | vim-git-3eb1637b1bba19519885dd6d377bd5596e91d22c.tar.gz |
patch 8.0.0377: possible overflow when reading corrupted undo filev8.0.0377
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
Diffstat (limited to 'src/undo.c')
-rw-r--r-- | src/undo.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/undo.c b/src/undo.c index b69f31872..ba7c0b83c 100644 --- a/src/undo.c +++ b/src/undo.c @@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) linenr_T line_lnum; colnr_T line_colnr; linenr_T line_count; - int num_head = 0; + long num_head = 0; long old_header_seq, new_header_seq, cur_header_seq; long seq_last, seq_cur; long last_save_nr = 0; @@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) * When there are no headers uhp_table is NULL. */ if (num_head > 0) { - uhp_table = (u_header_T **)U_ALLOC_LINE( + if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) + uhp_table = (u_header_T **)U_ALLOC_LINE( num_head * sizeof(u_header_T *)); if (uhp_table == NULL) goto error; |