summaryrefslogtreecommitdiff
path: root/src/undo.c
diff options
context:
space:
mode:
authorBram Moolenaar <Bram@vim.org>2017-02-26 18:11:36 +0100
committerBram Moolenaar <Bram@vim.org>2017-02-26 18:11:36 +0100
commit3eb1637b1bba19519885dd6d377bd5596e91d22c (patch)
tree987e404cc32bf438d5e6c9939862c5cc7e0dddca /src/undo.c
parent6d3c8586fc81b022e9f06c611b9926108fb878c7 (diff)
downloadvim-git-3eb1637b1bba19519885dd6d377bd5596e91d22c.tar.gz
patch 8.0.0377: possible overflow when reading corrupted undo filev8.0.0377
Problem: Possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)
Diffstat (limited to 'src/undo.c')
-rw-r--r--src/undo.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/undo.c b/src/undo.c
index b69f31872..ba7c0b83c 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
linenr_T line_lnum;
colnr_T line_colnr;
linenr_T line_count;
- int num_head = 0;
+ long num_head = 0;
long old_header_seq, new_header_seq, cur_header_seq;
long seq_last, seq_cur;
long last_save_nr = 0;
@@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
* When there are no headers uhp_table is NULL. */
if (num_head > 0)
{
- uhp_table = (u_header_T **)U_ALLOC_LINE(
+ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
+ uhp_table = (u_header_T **)U_ALLOC_LINE(
num_head * sizeof(u_header_T *));
if (uhp_table == NULL)
goto error;