Permalink
Browse files

patch 8.0.0322: possible overflow with corrupted spell file

Problem:    Possible overflow with spell file where the tree length is
            corrupted.
Solution:   Check for an invalid length (suggested by shqking)
  • Loading branch information...
brammool committed Feb 9, 2017
1 parent 8cc2a9c commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d
Showing with 5 additions and 0 deletions.
  1. +3 −0 src/spellfile.c
  2. +2 −0 src/version.c
View
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3ffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */
View
@@ -764,6 +764,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 322,
/**/
321,
/**/

8 comments on commit 399c297

@asdofijanw

This comment has been minimized.

Show comment
Hide comment
@asdofijanw

asdofijanw Feb 13, 2017

The initial patch submitted by shqking (https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY) used an upper bound of 0x3fffffff (note there are 7 'f's) while the upper bound that was commited is 0x3ffffff (6 'f's). Is this correct? Also, is there a #DEFINE or global that can be used instead of this seemingly arbitrary hardcoded number?

The initial patch submitted by shqking (https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY) used an upper bound of 0x3fffffff (note there are 7 'f's) while the upper bound that was commited is 0x3ffffff (6 'f's). Is this correct? Also, is there a #DEFINE or global that can be used instead of this seemingly arbitrary hardcoded number?

@shqking

This comment has been minimized.

Show comment
Hide comment
@shqking

shqking Feb 14, 2017

Hi asdofijanw,
Thanks for your comment.

I guess it is brammool's written error.
The upper bound should be 0x3fffffff( i.e. 7 'f's).

Hi asdofijanw,
Thanks for your comment.

I guess it is brammool's written error.
The upper bound should be 0x3fffffff( i.e. 7 'f's).

@jamessan

This comment has been minimized.

Show comment
Hide comment
@jamessan

jamessan Feb 14, 2017

Also, is there a #DEFINE or global that can be used instead of this seemingly arbitrary hardcoded number?

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

Also, is there a #DEFINE or global that can be used instead of this seemingly arbitrary hardcoded number?

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

@shqking

This comment has been minimized.

Show comment
Hide comment
@shqking

shqking Feb 14, 2017

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

Yes. I agree with you.

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

Yes. I agree with you.

@MaskRay

This comment has been minimized.

Show comment
Hide comment
@MaskRay

MaskRay Feb 14, 2017

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

len > ULONG_MAX / sizeof(int) ?

Yeah, it'd be better to do something based on the actual bounds of the data types, like if (len >= (ULONG_MAX / sizeof(int)).

len > ULONG_MAX / sizeof(int) ?

@shqking

This comment has been minimized.

Show comment
Hide comment
@shqking

shqking Feb 16, 2017

len > ULONG_MAX / sizeof(int) ?

#define UINT_MAX 0xffffffff // 2^32 - 1, the max value that UNSIGNED INT can represent.
len > UINT_MAX / sizeof(int)

len > ULONG_MAX / sizeof(int) ?

#define UINT_MAX 0xffffffff // 2^32 - 1, the max value that UNSIGNED INT can represent.
len > UINT_MAX / sizeof(int)

@k-takata

This comment has been minimized.

Show comment
Hide comment
@k-takata

k-takata Feb 26, 2017

Member

Agree with @shqking. The type of len is int, so UINT_MAX should be used.

@brammool Why not include this?

--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,7 +1595,7 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
-    if (len >= 0x3ffffff)
+    if (len > UINT_MAX / sizeof(int))
 	/* Invalid length, multiply with sizeof(int) would overflow. */
 	return SP_FORMERROR;
     if (len > 0)
Member

k-takata replied Feb 26, 2017

Agree with @shqking. The type of len is int, so UINT_MAX should be used.

@brammool Why not include this?

--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,7 +1595,7 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
-    if (len >= 0x3ffffff)
+    if (len > UINT_MAX / sizeof(int))
 	/* Invalid length, multiply with sizeof(int) would overflow. */
 	return SP_FORMERROR;
     if (len > 0)
@brammool

This comment has been minimized.

Show comment
Hide comment
@brammool

brammool Feb 26, 2017

Contributor
Contributor

brammool replied Feb 26, 2017

Please sign in to comment.