From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 9 Feb 2017 20:07:12 +0000 (+0100)
Subject: patch 8.0.0322: possible overflow with corrupted spell file
X-Git-Tag: v8.0.0322
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=399c297aa93afe2c0a39e2a1b3f972aebba44c9d;p=vim

patch 8.0.0322: possible overflow with corrupted spell file

Problem:    Possible overflow with spell file where the tree length is
            corrupted.
Solution:   Check for an invalid length (suggested by shqking)
---

diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6c7..8b1a3a633 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */
diff --git a/src/version.c b/src/version.c
index 7a3d21513..c1a5186ba 100644
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    322,
 /**/
     321,
 /**/