Skip to content
Permalink
Browse files Browse the repository at this point in the history
patch 8.0.0377: possible overflow when reading corrupted undo file
Problem:    Possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)
  • Loading branch information
brammool committed Feb 26, 2017
1 parent 6d3c858 commit 3eb1637
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/undo.c
Expand Up @@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
linenr_T line_lnum;
colnr_T line_colnr;
linenr_T line_count;
int num_head = 0;
long num_head = 0;
long old_header_seq, new_header_seq, cur_header_seq;
long seq_last, seq_cur;
long last_save_nr = 0;
Expand Down Expand Up @@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
* When there are no headers uhp_table is NULL. */
if (num_head > 0)
{
uhp_table = (u_header_T **)U_ALLOC_LINE(
if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
uhp_table = (u_header_T **)U_ALLOC_LINE(
num_head * sizeof(u_header_T *));
if (uhp_table == NULL)
goto error;
Expand Down
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -764,6 +764,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
377,
/**/
376,
/**/
Expand Down

2 comments on commit 3eb1637

@carnil
Copy link

@carnil carnil commented on 3eb1637 Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2017-6349

@Vekktone
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can I replicate this bug on my machine? I have vim 8.0.376 installed already. Thanks for any info

Please sign in to comment.