diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/spellfile.c | 10 | ||||
| -rw-r--r-- | src/nvim/undo.c | 15 |
2 files changed, 17 insertions, 8 deletions
diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c index 4d7ff558ad..bbef1f5032 100644 --- a/src/nvim/spellfile.c +++ b/src/nvim/spellfile.c @@ -223,6 +223,7 @@ // few bytes as possible, see offset2bytes()) #include <stdio.h> +#include <stdint.h> #include <wctype.h> #include "nvim/vim.h" @@ -1569,9 +1570,14 @@ spell_read_tree ( // The tree size was computed when writing the file, so that we can // allocate it as one long block. <nodecount> - int len = get4c(fd); - if (len < 0) + long len = get4c(fd); + if (len < 0) { return SP_TRUNCERROR; + } + if ((size_t)len >= SIZE_MAX / sizeof(int)) { + // Invalid length, multiply with sizeof(int) would overflow. + return SP_FORMERROR; + } if (len > 0) { // Allocate the byte array. bp = xmalloc(len); diff --git a/src/nvim/undo.c b/src/nvim/undo.c index 4d4e8d9bb9..571ad7204f 100644 --- a/src/nvim/undo.c +++ b/src/nvim/undo.c @@ -76,6 +76,7 @@ #include <inttypes.h> #include <limits.h> #include <stdbool.h> +#include <stdint.h> #include <string.h> #include <fcntl.h> @@ -966,12 +967,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error, uep->ue_lcount = undo_read_4c(bi); uep->ue_size = undo_read_4c(bi); - char_u **array; + char_u **array = NULL; if (uep->ue_size > 0) { - array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size); - memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size); - } else { - array = NULL; + if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) { + array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size); + memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size); + } } uep->ue_array = array; @@ -1400,7 +1401,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name) // sequence numbers of the headers. // When there are no headers uhp_table is NULL. if (num_head > 0) { - uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *)); + if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) { + uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table)); + } } long num_read_uhps = 0; |