summary refs log tree commit diff
path: root/gnu/packages/patches/vim-CVE-2017-5953.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/vim-CVE-2017-5953.patch')
-rw-r--r--gnu/packages/patches/vim-CVE-2017-5953.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch
new file mode 100644
index 0000000000..070f98c2cb
--- /dev/null
+++ b/gnu/packages/patches/vim-CVE-2017-5953.patch
@@ -0,0 +1,32 @@
+Fix CVE-2017-5953:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
+https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
+
+This change is adapted from the upstream source repository:
+
+https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
+
+diff --git a/src/spellfile.c b/src/spellfile.c
+index c7d87c6..00ef019 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -1585,7 +1585,7 @@ spell_read_tree(
+     int		prefixtree,	/* TRUE for the prefix tree */
+     int		prefixcnt)	/* when "prefixtree" is TRUE: prefix count */
+ {
+-    int		len;
++    long	len;
+     int		idx;
+     char_u	*bp;
+     idx_T	*ip;
+@@ -1595,6 +1595,9 @@ spell_read_tree(
+     len = get4c(fd);
+     if (len < 0)
+ 	return SP_TRUNCERROR;
++    if (len >= LONG_MAX / (long)sizeof(int))
++	/* Invalid length, multiply with sizeof(int) would overflow. */
++	return SP_FORMERROR;
+     if (len > 0)
+     {
+ 	/* Allocate the byte array. */
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-13 22:31:27 +0000