vim-patch:8.0.0376

Problem: Size computations in spell file reading are not exactly right. Solution: Make "len" a "long" and check with LONG_MAX. https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
author: James McCoy <jamessan@jamessan.com> 2017-04-09 00:46:52 -0400
committer: James McCoy <jamessan@jamessan.com> 2017-04-09 00:49:53 -0400
commit: 4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc (patch)
tree: 49a74c47f5f6419469eb1fa1a5d7d5bb1426e1e4
parent: b338bb9d6c331fa4a45fbbeb7da3210f30f31702 (diff)
download: rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.tar.gz
rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.tar.bz2
rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
index 81000b95f5..a6cee59795 100644
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -223,6 +223,7 @@
 //                          few bytes as possible, see offset2bytes())
 
 #include <stdio.h>
+#include <stdint.h>
 #include <wctype.h>
 
 #include "nvim/vim.h"
@@ -1569,10 +1570,10 @@ spell_read_tree (
 
   // The tree size was computed when writing the file, so that we can
   // allocate it as one long block. <nodecount>
-  int len = get4c(fd);
+  long len = get4c(fd);
   if (len < 0)
     return SP_TRUNCERROR;
-  if (len >= 0x3ffffff) {
+  if ((size_t)len >= SIZE_MAX / sizeof(int)) {
     // Invalid length, multiply with sizeof(int) would overflow.
     return SP_FORMERROR;
   }
author	James McCoy <jamessan@jamessan.com>	2017-04-09 00:46:52 -0400
committer	James McCoy <jamessan@jamessan.com>	2017-04-09 00:49:53 -0400
commit	4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc (patch)
tree	49a74c47f5f6419469eb1fa1a5d7d5bb1426e1e4
parent	b338bb9d6c331fa4a45fbbeb7da3210f30f31702 (diff)
download	rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.tar.gz rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.tar.bz2 rneovim-4af6c60826b4cb939fd9b7fe67a0b03e86d72bfc.zip