25 lines
710 B
Diff
25 lines
710 B
Diff
Fix CVE-2017-5953:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
|
|
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
|
|
|
|
Patch adapted from upstream commit, correcting the transcription error
|
|
in the bounds check:
|
|
|
|
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
|
|
|
|
diff --git a/src/spellfile.c b/src/spellfile.c
|
|
index c7d87c6..8b1a3a6 100644
|
|
--- a/src/spellfile.c
|
|
+++ b/src/spellfile.c
|
|
@@ -1595,6 +1595,9 @@ spell_read_tree(
|
|
len = get4c(fd);
|
|
if (len < 0)
|
|
return SP_TRUNCERROR;
|
|
+ if (len >= 0x3fffffff)
|
|
+ /* Invalid length, multiply with sizeof(int) would overflow. */
|
|
+ return SP_FORMERROR;
|
|
if (len > 0)
|
|
{
|
|
/* Allocate the byte array. */
|