1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 9 Feb 2017 21:07:12 +0100
Subject: patch 8.0.0322: possible overflow with corrupted spell file
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
---
src/spellfile.c | 3 +++
src/version.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3ffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */
diff --git a/src/version.c b/src/version.c
index dacb42d..c851d87 100644
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 322,
+/**/
197,
/**/
196,
|
