mirror of
https://github.com/vim/vim.git
synced 2025-09-07 22:03:36 -04:00
patch 8.0.0378: possible overflow when reading corrupted undo file
Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)
This commit is contained in:
parent
3eb1637b1b
commit
0c8485f0e4
@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
||||
{
|
||||
int i;
|
||||
u_entry_T *uep;
|
||||
char_u **array;
|
||||
char_u **array = NULL;
|
||||
char_u *line;
|
||||
int line_len;
|
||||
|
||||
@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
||||
uep->ue_size = undo_read_4c(bi);
|
||||
if (uep->ue_size > 0)
|
||||
{
|
||||
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
|
||||
if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
|
||||
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
|
||||
if (array == NULL)
|
||||
{
|
||||
*error = TRUE;
|
||||
@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
||||
}
|
||||
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
|
||||
}
|
||||
else
|
||||
array = NULL;
|
||||
uep->ue_array = array;
|
||||
|
||||
for (i = 0; i < uep->ue_size; ++i)
|
||||
|
@ -764,6 +764,8 @@ static char *(features[]) =
|
||||
|
||||
static int included_patches[] =
|
||||
{ /* Add new patch number below this line */
|
||||
/**/
|
||||
378,
|
||||
/**/
|
||||
377,
|
||||
/**/
|
||||
|
Loading…
x
Reference in New Issue
Block a user