patch 8.0.0322: possible overflow with corrupted spell file

author Bram Moolenaar <Bram@vim.org>

Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)

committer Bram Moolenaar <Bram@vim.org>

Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)
author Bram Moolenaar <Bram@vim.org>
Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)
committer Bram Moolenaar <Bram@vim.org>
Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)
diff --git a/src/spellfile.c b/src/spellfile.c

index c7d87c6c726bddbf383e235b5222bd3dbd8d975b..8b1a3a633e8e714934919127245199d95c307a51 100644 (file)
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
      len = get4c(fd);
      if (len < 0)
         return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+       /* Invalid length, multiply with sizeof(int) would overflow. */
+       return SP_FORMERROR;
      if (len > 0)
      {
         /* Allocate the byte array. */
diff --git a/src/version.c b/src/version.c

index 7a3d21513f5d64638bc9e1515fc540d58880c7f7..c1a5186bac360a070d610da9311d1955e0c0aeba 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    322,
  /**/
      321,
  /**/
author	Bram Moolenaar <Bram@vim.org>
	Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)
committer	Bram Moolenaar <Bram@vim.org>
	Thu, 9 Feb 2017 20:07:12 +0000 (21:07 +0100)
src/spellfile.c		patch \| blob \| history
src/version.c		patch \| blob \| history