IntenseFinance/neovim
3
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-02-25 18:55:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.0.0378

Browse Source 
Problem:    Another possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)

0c8485f0e4

CVE-2017-6350
This commit is contained in:
James McCoy 2017-04-08 21:56:02 -04:00
parent fb66a7c69e
commit ad66826abe
No known key found for this signature in database
GPG Key ID: DFE691AE331BA3DB
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/nvim/undo.c
View File

@ -967,12 +967,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error,
uep->ue_lcount = undo_read_4c(bi); uep->ue_lcount = undo_read_4c(bi);
uep->ue_size = undo_read_4c(bi); uep->ue_size = undo_read_4c(bi);
char_u **array; char_u **array = NULL;
if (uep->ue_size > 0) { if (uep->ue_size > 0) {
if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size); array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size); memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
} else { }
array = NULL;
} }
uep->ue_array = array; uep->ue_array = array;