[neovim] 01/06: vim-patch:8.0.0377
James McCoy
jamessan at debian.org
Mon Apr 10 13:17:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/sid
in repository neovim.
commit afd073a451897a5cba3e9b46224e3e2802ac61ea
Author: James McCoy <jamessan at jamessan.com>
Date: Sat Apr 8 21:22:11 2017 -0400
vim-patch:8.0.0377
Problem: Possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
CVE-2017-6349
---
src/nvim/undo.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 4d56046..11f4d55 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -76,6 +76,7 @@
#include <inttypes.h>
#include <limits.h>
#include <stdbool.h>
+#include <stdint.h>
#include <string.h>
#include <fcntl.h>
@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
// sequence numbers of the headers.
// When there are no headers uhp_table is NULL.
if (num_head > 0) {
- uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
+ if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
+ uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
+ }
}
long num_read_uhps = 0;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/neovim.git
More information about the pkg-vim-maintainers
mailing list