From c79b8af28e107a46149ee6cebe4b30248d37c1e5 Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@jamessan.com>
Date: Sat, 8 Apr 2017 21:56:02 -0400
Subject: [PATCH 5/9] vim-patch:8.0.0378

Problem:    Another possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)

https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75

CVE-2017-6350
---
 src/nvim/undo.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 11f4d5564..d1a0bfdf1 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error,
   uep->ue_lcount = undo_read_4c(bi);
   uep->ue_size = undo_read_4c(bi);
 
-  char_u **array;
+  char_u **array = NULL;
   if (uep->ue_size > 0) {
-    array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
-    memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
-  } else {
-    array = NULL;
+    if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
+      array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
+      memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
+    }
   }
   uep->ue_array = array;