patch 8.0.0376: size computations in spell file reading are off

Problem:    Size computations in spell file reading are not exactly right.
Solution:   Make "len" a "long" and check with LONG_MAX.

diff --git a/src/spellfile.c b/src/spellfile.c
index 8b1a3a633e8e714934919127245199d95c307a51..00ef019a6a6ffbdc3ba920bbd3adf25b43005d41 100644 (file)
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1585,7 +1585,7 @@ spell_read_tree(
     int                prefixtree,     /* TRUE for the prefix tree */
     int                prefixcnt)      /* when "prefixtree" is TRUE: prefix count */
 {
-    int                len;
+    long       len;
     int                idx;
     char_u     *bp;
     idx_T      *ip;
@@ -1595,7 +1595,7 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
        return SP_TRUNCERROR;
-    if (len >= 0x3ffffff)
+    if (len >= LONG_MAX / (long)sizeof(int))
        /* Invalid length, multiply with sizeof(int) would overflow. */
        return SP_FORMERROR;
     if (len > 0)

diff --git a/src/version.c b/src/version.c
index 58ece754d1c734b265913347d0300b2f48aa0261..8d1454197d06ec2b9a01697f66f1bd5f1c9ab390 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    376,
 /**/
     375,
 /**/