blob: 070f98c2cbf938dea3ea23c77dad7f3f274c4d6b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Fix CVE-2017-5953:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
This change is adapted from the upstream source repository:
https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..00ef019 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1585,7 +1585,7 @@ spell_read_tree(
int prefixtree, /* TRUE for the prefix tree */
int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
{
- int len;
+ long len;
int idx;
char_u *bp;
idx_T *ip;
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= LONG_MAX / (long)sizeof(int))
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */
|