diff options
| author | Bram Moolenaar <Bram@vim.org> | 2017-02-26 18:11:36 +0100 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2017-02-26 18:11:36 +0100 |
| commit | 3eb1637b1bba19519885dd6d377bd5596e91d22c (patch) | |
| tree | 987e404cc32bf438d5e6c9939862c5cc7e0dddca | |
| parent | 6d3c8586fc81b022e9f06c611b9926108fb878c7 (diff) | |
| download | vim-3eb1637b1bba19519885dd6d377bd5596e91d22c.zip | |
patch 8.0.0377: possible overflow when reading corrupted undo file
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
| -rw-r--r-- | src/undo.c | 5 | ||||
| -rw-r--r-- | src/version.c | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/src/undo.c b/src/undo.c index b69f31872..ba7c0b83c 100644 --- a/src/undo.c +++ b/src/undo.c @@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) linenr_T line_lnum; colnr_T line_colnr; linenr_T line_count; - int num_head = 0; + long num_head = 0; long old_header_seq, new_header_seq, cur_header_seq; long seq_last, seq_cur; long last_save_nr = 0; @@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name) * When there are no headers uhp_table is NULL. */ if (num_head > 0) { - uhp_table = (u_header_T **)U_ALLOC_LINE( + if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) + uhp_table = (u_header_T **)U_ALLOC_LINE( num_head * sizeof(u_header_T *)); if (uhp_table == NULL) goto error; diff --git a/src/version.c b/src/version.c index 8d1454197..c79020b21 100644 --- a/src/version.c +++ b/src/version.c @@ -765,6 +765,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 377, +/**/ 376, /**/ 375, |