[neovim] 02/06: vim-patch:8.0.0378
James McCoy
jamessan at debian.org
Mon Apr 10 13:17:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/sid
in repository neovim.
commit 8d09e4c37dfc5ca67412c11a525f5fece5703410
Author: James McCoy <jamessan at jamessan.com>
Date: Sat Apr 8 21:56:02 2017 -0400
vim-patch:8.0.0378
Problem: Another possible overflow when reading corrupted undo file.
Solution: Check if allocated size is not too big. (King)
https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75
CVE-2017-6350
---
src/nvim/undo.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/nvim/undo.c b/src/nvim/undo.c
index 11f4d55..d1a0bfd 100644
--- a/src/nvim/undo.c
+++ b/src/nvim/undo.c
@@ -970,12 +970,12 @@ static u_entry_T *unserialize_uep(bufinfo_T * bi, bool *error,
uep->ue_lcount = undo_read_4c(bi);
uep->ue_size = undo_read_4c(bi);
- char_u **array;
+ char_u **array = NULL;
if (uep->ue_size > 0) {
- array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
- memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
- } else {
- array = NULL;
+ if ((size_t)uep->ue_size < SIZE_MAX / sizeof(char_u *)) {
+ array = xmalloc(sizeof(char_u *) * (size_t)uep->ue_size);
+ memset(array, 0, sizeof(char_u *) * (size_t)uep->ue_size);
+ }
}
uep->ue_array = array;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/neovim.git
More information about the pkg-vim-maintainers
mailing list