Permalink
Browse files

patch 8.0.0376: size computations in spell file reading are off

Problem:    Size computations in spell file reading are not exactly right.
Solution:   Make "len" a "long" and check with LONG_MAX.
  • Loading branch information...
brammool committed Feb 26, 2017
1 parent 5074a0e commit 6d3c8586fc81b022e9f06c611b9926108fb878c7
Showing with 4 additions and 2 deletions.
  1. +2 −2 src/spellfile.c
  2. +2 −0 src/version.c
View
@@ -1585,7 +1585,7 @@ spell_read_tree(
int prefixtree, /* TRUE for the prefix tree */
int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
{
- int len;
+ long len;
int idx;
char_u *bp;
idx_T *ip;
@@ -1595,7 +1595,7 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
- if (len >= 0x3ffffff)
+ if (len >= LONG_MAX / (long)sizeof(int))
/* Invalid length, multiply with sizeof(int) would overflow. */
return SP_FORMERROR;
if (len > 0)
View
@@ -764,6 +764,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 376,
/**/
375,
/**/

0 comments on commit 6d3c858

Please sign in to comment.