diff options
| author | James McCoy <jamessan@jamessan.com> | 2017-04-09 13:25:15 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-04-09 13:25:15 -0400 |
| commit | dbdd69e418a3baa4750abc25fae7516a36776e75 (patch) | |
| tree | 52007980f4b417d001d37e7fd508b72cfef5432a /src/nvim/spellfile.c | |
| parent | 26bf6e6f6f8819a758611a88e0c0b04e38d4b915 (diff) | |
| parent | 06a96df510e1fa8d77d21a8120e97342d04be15f (diff) | |
| download | rneovim-dbdd69e418a3baa4750abc25fae7516a36776e75.tar.gz rneovim-dbdd69e418a3baa4750abc25fae7516a36776e75.tar.bz2 rneovim-dbdd69e418a3baa4750abc25fae7516a36776e75.zip | |
Merge pull request #6485 from jamessan/vim-8.0.0377
vim-patch:8.0.0377,8.0.0378,8.0.0322,8.0.0376
Diffstat (limited to 'src/nvim/spellfile.c')
| -rw-r--r-- | src/nvim/spellfile.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c index 4d7ff558ad..bbef1f5032 100644 --- a/src/nvim/spellfile.c +++ b/src/nvim/spellfile.c @@ -223,6 +223,7 @@ // few bytes as possible, see offset2bytes()) #include <stdio.h> +#include <stdint.h> #include <wctype.h> #include "nvim/vim.h" @@ -1569,9 +1570,14 @@ spell_read_tree ( // The tree size was computed when writing the file, so that we can // allocate it as one long block. <nodecount> - int len = get4c(fd); - if (len < 0) + long len = get4c(fd); + if (len < 0) { return SP_TRUNCERROR; + } + if ((size_t)len >= SIZE_MAX / sizeof(int)) { + // Invalid length, multiply with sizeof(int) would overflow. + return SP_FORMERROR; + } if (len > 0) { // Allocate the byte array. bp = xmalloc(len); |