mirror of
https://github.com/neovim/neovim.git
synced 2025-02-25 18:55:25 -06:00
vim-patch:8.0.0322
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
399c297aa9
CVE-2017-5953
This commit is contained in:
parent
ad66826abe
commit
b338bb9d6c
@ -1572,6 +1572,10 @@ spell_read_tree (
|
||||
int len = get4c(fd);
|
||||
if (len < 0)
|
||||
return SP_TRUNCERROR;
|
||||
if (len >= 0x3ffffff) {
|
||||
// Invalid length, multiply with sizeof(int) would overflow.
|
||||
return SP_FORMERROR;
|
||||
}
|
||||
if (len > 0) {
|
||||
// Allocate the byte array.
|
||||
bp = xmalloc(len);
|
||||
|
Loading…
Reference in New Issue
Block a user