1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
|
commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d
Author: Bram Moolenaar <Bram@vim.org>
Date: Thu Feb 9 21:07:12 2017 +0100
patch 8.0.0322: possible overflow with corrupted spell file
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
diff --git a/src/spell.c b/src/spell.c
index c7d87c6c7..8b1a3a633 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -4043,6 +4043,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3ffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */
diff --git a/src/version.c b/src/version.c
index 7a3d21513..c1a5186ba 100644
--- a/src/version.c
+++ b/src/version.c
@@ -1733,6 +1733,8 @@ static char *(features[]) =
static char *(extra_patches[]) =
{ /* Add your patch description below this line */
/**/
+ "8.0.0322",
+/**/
"8.0.0056",
/**/
NULL
|