gnu/packages/patches/vim-CVE-2017-5953.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Fix CVE-2017-5953:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY

Patch adapted from upstream commit, correcting the transcription error
in the bounds check:

https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d

diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3fffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */