[neovim] 01/06: vim-patch:8.0.0377

James McCoy jamessan at debian.org
Mon Apr 10 13:17:30 UTC 2017


This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch debian/sid
in repository neovim.

commit afd073a451897a5cba3e9b46224e3e2802ac61ea
Author: James McCoy <jamessan at jamessan.com>
Date:   Sat Apr 8 21:22:11 2017 -0400

    vim-patch:8.0.0377
    
    Problem:    Possible overflow when reading corrupted undo file.
    Solution:   Check if allocated size is not too big. (King)
    
    https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c
    
    CVE-2017-6349
---
 src/nvim/undo.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 4d56046..11f4d55 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -76,6 +76,7 @@
 #include <inttypes.h>
 #include <limits.h>
 #include <stdbool.h>
+#include <stdint.h>
 #include <string.h>
 #include <fcntl.h>
 
@@ -1403,7 +1404,9 @@ void u_read_undo(char *name, char_u *hash, char_u *orig_name)
   // sequence numbers of the headers.
   // When there are no headers uhp_table is NULL.
   if (num_head > 0) {
-    uhp_table = xmalloc((size_t)num_head * sizeof(u_header_T *));
+    if ((size_t)num_head < SIZE_MAX / sizeof(*uhp_table)) {
+      uhp_table = xmalloc((size_t)num_head * sizeof(*uhp_table));
+    }
   }
 
   long num_read_uhps = 0;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/neovim.git



More information about the pkg-vim-maintainers mailing list