vim-patch:8.0.0322

Problem: Possible overflow with spell file where the tree length is corrupted. Solution: Check for an invalid length (suggested by shqking) https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5953
author: James McCoy <jamessan@jamessan.com> 2017-04-09 00:45:19 -0400
committer: James McCoy <jamessan@jamessan.com> 2017-04-09 00:49:32 -0400
commit: b338bb9d6c331fa4a45fbbeb7da3210f30f31702 (patch)
tree: 97c1e4986e885c0ce5efb06a64a0f007147ea101
parent: ad66826abee14009abddfbef3e6088afc773ab9d (diff)
download: rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.tar.gz
rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.tar.bz2
rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
index 4d7ff558ad..81000b95f5 100644
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -1572,6 +1572,10 @@ spell_read_tree (
   int len = get4c(fd);
   if (len < 0)
     return SP_TRUNCERROR;
+  if (len >= 0x3ffffff) {
+    // Invalid length, multiply with sizeof(int) would overflow.
+    return SP_FORMERROR;
+  }
   if (len > 0) {
     // Allocate the byte array.
     bp = xmalloc(len);
author	James McCoy <jamessan@jamessan.com>	2017-04-09 00:45:19 -0400
committer	James McCoy <jamessan@jamessan.com>	2017-04-09 00:49:32 -0400
commit	b338bb9d6c331fa4a45fbbeb7da3210f30f31702 (patch)
tree	97c1e4986e885c0ce5efb06a64a0f007147ea101
parent	ad66826abee14009abddfbef3e6088afc773ab9d (diff)
download	rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.tar.gz rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.tar.bz2 rneovim-b338bb9d6c331fa4a45fbbeb7da3210f30f31702.zip