diff options
| author | James McCoy <jamessan@jamessan.com> | 2017-04-08 21:22:11 -0400 |
|---|---|---|
| committer | James McCoy <jamessan@jamessan.com> | 2017-04-09 00:49:26 -0400 |
| commit | fb66a7c69ef061fd2da12df8bca47592df25438f (patch) | |
| tree | ed7f01a2b3a53aebb1327209b53a48c4092791ef | |
| parent | 699e8406b5d57e1ca975af443329d8f24ae1b704 (diff) | |
| download | rneovim-fb66a7c69ef061fd2da12df8bca47592df25438f.tar.gz rneovim-fb66a7c69ef061fd2da12df8bca47592df25438f.tar.bz2 rneovim-fb66a7c69ef061fd2da12df8bca47592df25438f.zip | |
vim-patch:8.0.0377
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
CVE-2017-6349
| -rw-r--r-- | src/nvim/undo.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/nvim/undo.c b/src/nvim/undo.c index 4d4e8d9bb9..83c171d66a 100644 --- a/src/nvim/undo.c +++ b/src/nvim/undo.c @@ -76,6 +76,7 @@ #include <inttypes.h> #include <limits.h> #include <stdbool.h> +#include <stdint.h> #include <string.h> #include <fcntl.h> @@ -1400,7 +1401,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name) // sequence numbers of the headers. // When there are no headers uhp_table is NULL. if (num_head > 0) { - uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *)); + if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) { + uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table)); + } } long num_read_uhps = 0; |