Skip to content
Permalink
Browse files Browse the repository at this point in the history
patch 8.0.0378: possible overflow when reading corrupted undo file
Problem:    Another possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)
  • Loading branch information
brammool committed Feb 26, 2017
1 parent 3eb1637 commit 0c8485f
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/undo.c
Expand Up @@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
{
int i;
u_entry_T *uep;
char_u **array;
char_u **array = NULL;
char_u *line;
int line_len;

Expand All @@ -1402,16 +1402,15 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
uep->ue_size = undo_read_4c(bi);
if (uep->ue_size > 0)
{
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (array == NULL)
{
*error = TRUE;
return uep;
}
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
}
else
array = NULL;
uep->ue_array = array;

for (i = 0; i < uep->ue_size; ++i)
Expand Down
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -764,6 +764,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
378,
/**/
377,
/**/
Expand Down

1 comment on commit 0c8485f

@carnil
Copy link

@carnil carnil commented on 0c8485f Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2017-6350

Please sign in to comment.