mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-28 22:18:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.0.0377

Browse Source 
Problem:    Possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)

3eb1637b1b

CVE-2017-6349
This commit is contained in:
James McCoy
2017-04-08 21:22:11 -04:00
parent 699e8406b5
commit fb66a7c69e
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/nvim/undo.c
View File

@@ -76,6 +76,7 @@
#include <inttypes.h> #include <inttypes.h>
#include <limits.h> #include <limits.h>
#include <stdbool.h> #include <stdbool.h>
#include <stdint.h>
#include <string.h> #include <string.h>
#include <fcntl.h> #include <fcntl.h>
@@ -1400,7 +1401,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
// sequence numbers of the headers. // sequence numbers of the headers.
// When there are no headers uhp_table is NULL. // When there are no headers uhp_table is NULL.
if (num_head > 0) { if (num_head > 0) {
uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *)); if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
}
} }
long num_read_uhps = 0; long num_read_uhps = 0;