vim-patch:8.0.0378

Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King) https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75 CVE-2017-6350
author: James McCoy <jamessan@jamessan.com> 2017-04-08 21:56:02 -0400
committer: James McCoy <jamessan@jamessan.com> 2017-04-09 00:49:32 -0400
commit: ad66826abee14009abddfbef3e6088afc773ab9d (patch)
tree: 294c747a94708600e23669be9e78e79104e69713
parent: fb66a7c69ef061fd2da12df8bca47592df25438f (diff)
download: rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.tar.gz
rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.tar.bz2
rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 83c171d66a..571ad7204f 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -967,12 +967,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error,
   uep->ue_lcount = undo_read_4c(bi);
   uep->ue_size = undo_read_4c(bi);
 
-  char_u **array;
+  char_u **array = NULL;
   if (uep->ue_size > 0) {
-    array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
-    memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
-  } else {
-    array = NULL;
+    if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
+      array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
+      memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
+    }
   }
   uep->ue_array = array;
author	James McCoy <jamessan@jamessan.com>	2017-04-08 21:56:02 -0400
committer	James McCoy <jamessan@jamessan.com>	2017-04-09 00:49:32 -0400
commit	ad66826abee14009abddfbef3e6088afc773ab9d (patch)
tree	294c747a94708600e23669be9e78e79104e69713
parent	fb66a7c69ef061fd2da12df8bca47592df25438f (diff)
download	rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.tar.gz rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.tar.bz2 rneovim-ad66826abee14009abddfbef3e6088afc773ab9d.zip