1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 26 Feb 2017 18:11:36 +0100
Subject: patch 8.0.0377: possible overflow when reading corrupted undo file
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
---
src/undo.c | 5 +++--
src/version.c | 2 ++
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/undo.c b/src/undo.c
index 607f35f..9a6875b 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
linenr_T line_lnum;
colnr_T line_colnr;
linenr_T line_count;
- int num_head = 0;
+ long num_head = 0;
long old_header_seq, new_header_seq, cur_header_seq;
long seq_last, seq_cur;
long last_save_nr = 0;
@@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
* When there are no headers uhp_table is NULL. */
if (num_head > 0)
{
- uhp_table = (u_header_T **)U_ALLOC_LINE(
+ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
+ uhp_table = (u_header_T **)U_ALLOC_LINE(
num_head * sizeof(u_header_T *));
if (uhp_table == NULL)
goto error;
diff --git a/src/version.c b/src/version.c
index c851d87..4c81879 100644
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 377,
+/**/
322,
/**/
197,
|
