1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 26 Feb 2017 18:17:10 +0100
Subject: patch 8.0.0378: possible overflow when reading corrupted undo file
Problem: Another possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
---
src/undo.c | 7 +++----
src/version.c | 2 ++
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/undo.c b/src/undo.c
index 9a6875b..6de985b 100644
--- a/src/undo.c
+++ b/src/undo.c
@@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
{
int i;
u_entry_T *uep;
- char_u **array;
+ char_u **array = NULL;
char_u *line;
int line_len;
@@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
uep->ue_size = undo_read_4c(bi);
if (uep->ue_size > 0)
{
- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
+ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
+ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (array == NULL)
{
*error = TRUE;
@@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
}
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
}
- else
- array = NULL;
uep->ue_array = array;
for (i = 0; i < uep->ue_size; ++i)
diff --git a/src/version.c b/src/version.c
index 4c81879..c301a98 100644
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 378,
+/**/
377,
/**/
322,
|
