From fb66a7c69ef061fd2da12df8bca47592df25438f Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@jamessan.com>
Date: Sat, 8 Apr 2017 21:22:11 -0400
Subject: vim-patch:8.0.0377

Problem:    Possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)

https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c

CVE-2017-6349
---
 src/nvim/undo.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 4d4e8d9bb9..83c171d66a 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -76,6 +76,7 @@
 #include <inttypes.h>
 #include <limits.h>
 #include <stdbool.h>
+#include <stdint.h>
 #include <string.h>
 #include <fcntl.h>
 
@@ -1400,7 +1401,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
   // sequence numbers of the headers.
   // When there are no headers uhp_table is NULL.
   if (num_head > 0) {
-    uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
+    if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
+      uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
+    }
   }
 
   long num_read_uhps = 0;
-- 
cgit