summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-02-26 11:48:20 -0500
committerLeo Famulari <leo@famulari.name>2017-02-26 12:04:16 -0500
commitffa771d2b4c069c1fcf6d226d330ce1f514d7a49 (patch)
tree955324d78dc09f23861c2b832ff0c1dd6018027b /gnu/packages
parent2f1d20a8d473d9183460d38ed34f1c3d51860c78 (diff)
downloadguix-ffa771d2b4c069c1fcf6d226d330ce1f514d7a49.tar.gz
gnu: vim: Use upstream fix for CVE-2017-5953.
* gnu/packages/patches/vim-CVE-2017-5953.patch: Adjust to match upstream changes.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/patches/vim-CVE-2017-5953.patch18
1 files changed, 13 insertions, 5 deletions
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch
index 7b66f1bf16..070f98c2cb 100644
--- a/gnu/packages/patches/vim-CVE-2017-5953.patch
+++ b/gnu/packages/patches/vim-CVE-2017-5953.patch
@@ -3,20 +3,28 @@ Fix CVE-2017-5953:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
 https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
 
-Patch adapted from upstream commit, correcting the transcription error
-in the bounds check:
+This change is adapted from the upstream source repository:
 
-https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
 
 diff --git a/src/spellfile.c b/src/spellfile.c
-index c7d87c6..8b1a3a6 100644
+index c7d87c6..00ef019 100644
 --- a/src/spellfile.c
 +++ b/src/spellfile.c
+@@ -1585,7 +1585,7 @@ spell_read_tree(
+     int		prefixtree,	/* TRUE for the prefix tree */
+     int		prefixcnt)	/* when "prefixtree" is TRUE: prefix count */
+ {
+-    int		len;
++    long	len;
+     int		idx;
+     char_u	*bp;
+     idx_T	*ip;
 @@ -1595,6 +1595,9 @@ spell_read_tree(
      len = get4c(fd);
      if (len < 0)
  	return SP_TRUNCERROR;
-+    if (len >= 0x3fffffff)
++    if (len >= LONG_MAX / (long)sizeof(int))
 +	/* Invalid length, multiply with sizeof(int) would overflow. */
 +	return SP_FORMERROR;
      if (len > 0)