33 lines
936 B
Diff
33 lines
936 B
Diff
Fix CVE-2017-5953:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
|
|
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
|
|
|
|
This change is adapted from the upstream source repository:
|
|
|
|
https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
|
|
|
|
diff --git a/src/spellfile.c b/src/spellfile.c
|
|
index c7d87c6..00ef019 100644
|
|
--- a/src/spellfile.c
|
|
+++ b/src/spellfile.c
|
|
@@ -1585,7 +1585,7 @@ spell_read_tree(
|
|
int prefixtree, /* TRUE for the prefix tree */
|
|
int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
|
|
{
|
|
- int len;
|
|
+ long len;
|
|
int idx;
|
|
char_u *bp;
|
|
idx_T *ip;
|
|
@@ -1595,6 +1595,9 @@ spell_read_tree(
|
|
len = get4c(fd);
|
|
if (len < 0)
|
|
return SP_TRUNCERROR;
|
|
+ if (len >= LONG_MAX / (long)sizeof(int))
|
|
+ /* Invalid length, multiply with sizeof(int) would overflow. */
|
|
+ return SP_FORMERROR;
|
|
if (len > 0)
|
|
{
|
|
/* Allocate the byte array. */
|