IntenseFinance/neovim
3
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-02-25 18:55:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.0.0377

Browse Source 
Problem:    Possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)

3eb1637b1b

CVE-2017-6349
This commit is contained in:
James McCoy 2017-04-08 21:22:11 -04:00
parent 699e8406b5
commit fb66a7c69e
No known key found for this signature in database
GPG Key ID: DFE691AE331BA3DB
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/nvim/undo.c
View File

@ -76,6 +76,7 @@
#include <inttypes.h>
#include <limits.h>
#include <stdbool.h>
#include <stdint.h>
#include <string.h>
#include <fcntl.h>
@ -1400,7 +1401,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
// sequence numbers of the headers.
// When there are no headers uhp_table is NULL.
if (num_head > 0) {
uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
}
}
long num_read_uhps = 0;