From b338bb9d6c331fa4a45fbbeb7da3210f30f31702 Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@jamessan.com>
Date: Sun, 9 Apr 2017 00:45:19 -0400
Subject: vim-patch:8.0.0322

Problem:    Possible overflow with spell file where the tree length is
            corrupted.
Solution:   Check for an invalid length (suggested by shqking)

https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d

CVE-2017-5953
---
 src/nvim/spellfile.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/nvim/spellfile.c b/src/nvim/spellfile.c
index 4d7ff558ad..81000b95f5 100644
--- a/src/nvim/spellfile.c
+++ b/src/nvim/spellfile.c
@@ -1572,6 +1572,10 @@ spell_read_tree (
   int len = get4c(fd);
   if (len < 0)
     return SP_TRUNCERROR;
+  if (len >= 0x3ffffff) {
+    // Invalid length, multiply with sizeof(int) would overflow.
+    return SP_FORMERROR;
+  }
   if (len > 0) {
     // Allocate the byte array.
     bp = xmalloc(len);
-- 
cgit