[neovim] 03/06: vim-patch:8.0.0322
James McCoy
jamessan at debian.org
Mon Apr 10 13:17:30 UTC 2017
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch debian/sid
in repository neovim.
commit 0836207ca818dbc1822a9b7a39087b29af87a04c
Author: James McCoy <jamessan at jamessan.com>
Date: Sun Apr 9 00:45:19 2017 -0400
vim-patch:8.0.0322
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
CVE-2017-5953
---
src/nvim/spell.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/nvim/spell.c b/src/nvim/spell.c
index 7119ac6..17c7dd9 100644
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@@ -3592,6 +3592,10 @@ spell_read_tree (
int len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3ffffff) {
+ // Invalid length, multiply with sizeof(int) would overflow.
+ return SP_FORMERROR;
+ }
if (len > 0) {
// Allocate the byte array.
bp = xmalloc(len);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-vim/neovim.git
More information about the pkg-vim-maintainers
mailing list