vim-patch:8.0.0376

Problem:    Size computations in spell file reading are not exactly right.
Solution:   Make "len" a "long" and check with LONG_MAX.

6d3c8586fc
This commit is contained in:
James McCoy 2017-04-09 00:46:52 -04:00
parent b338bb9d6c
commit 4af6c60826
No known key found for this signature in database
GPG Key ID: DFE691AE331BA3DB

View File

@ -223,6 +223,7 @@
// few bytes as possible, see offset2bytes())
#include <stdio.h>
#include <stdint.h>
#include <wctype.h>
#include "nvim/vim.h"
@ -1569,10 +1570,10 @@ spell_read_tree (
// The tree size was computed when writing the file, so that we can
// allocate it as one long block. <nodecount>
int len = get4c(fd);
long len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
if (len >= 0x3ffffff) {
if ((size_t)len >= SIZE_MAX / sizeof(int)) {
// Invalid length, multiply with sizeof(int) would overflow.
return SP_FORMERROR;
}