alex/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2026-01-10 13:27:56 +10:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.0.0322

Browse Source 
Problem:    Possible overflow with spell file where the tree length is
            corrupted.
Solution:   Check for an invalid length (suggested by shqking)

399c297aa9

CVE-2017-5953
This commit is contained in:
James McCoy
2017-04-09 00:45:19 -04:00
parent ad66826abe
commit b338bb9d6c
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/nvim/spellfile.c
View File

@@ -1572,6 +1572,10 @@ spell_read_tree (
int len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
if (len >= 0x3ffffff) {
// Invalid length, multiply with sizeof(int) would overflow.
return SP_FORMERROR;
}
if (len > 0) {
// Allocate the byte array.
bp = xmalloc(len);