Permalink
Browse files

patch 8.0.0377: possible overflow when reading corrupted undo file

Problem:    Possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)
  • Loading branch information...
brammool committed Feb 26, 2017
1 parent 6d3c858 commit 3eb1637b1bba19519885dd6d377bd5596e91d22c
Showing with 5 additions and 2 deletions.
  1. +3 −2 src/undo.c
  2. +2 −0 src/version.c
View
@@ -1787,7 +1787,7 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
linenr_T line_lnum;
colnr_T line_colnr;
linenr_T line_count;
- int num_head = 0;
+ long num_head = 0;
long old_header_seq, new_header_seq, cur_header_seq;
long seq_last, seq_cur;
long last_save_nr = 0;
@@ -1974,7 +1974,8 @@ u_read_undo(char_u *name, char_u *hash, char_u *orig_name)
* When there are no headers uhp_table is NULL. */
if (num_head > 0)
{
- uhp_table = (u_header_T **)U_ALLOC_LINE(
+ if (num_head < LONG_MAX / (long)sizeof(u_header_T *))
+ uhp_table = (u_header_T **)U_ALLOC_LINE(
num_head * sizeof(u_header_T *));
if (uhp_table == NULL)
goto error;
View
@@ -764,6 +764,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 377,
/**/
376,
/**/

2 comments on commit 3eb1637

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Feb 27, 2017

This is CVE-2017-6349

This is CVE-2017-6349

@Vekktone

This comment has been minimized.

Show comment
Hide comment
@Vekktone

Vekktone Mar 7, 2017

How can I replicate this bug on my machine? I have vim 8.0.376 installed already. Thanks for any info

How can I replicate this bug on my machine? I have vim 8.0.376 installed already. Thanks for any info

Please sign in to comment.