gnu: vim: Use upstream fix for CVE-2017-5953.

* gnu/packages/patches/vim-CVE-2017-5953.patch: Adjust to match upstream changes.
This commit is contained in:
Leo Famulari 2017-02-26 11:48:20 -05:00
parent 2f1d20a8d4
commit ffa771d2b4
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
1 changed files with 13 additions and 5 deletions

View File

@ -3,20 +3,28 @@ Fix CVE-2017-5953:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
Patch adapted from upstream commit, correcting the transcription error
in the bounds check:
This change is adapted from the upstream source repository:
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
index c7d87c6..00ef019 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1585,7 +1585,7 @@ spell_read_tree(
int prefixtree, /* TRUE for the prefix tree */
int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
{
- int len;
+ long len;
int idx;
char_u *bp;
idx_T *ip;
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3fffffff)
+ if (len >= LONG_MAX / (long)sizeof(int))
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)