mirror of
https://github.com/vim/vim.git
synced 2025-09-10 22:33:40 -04:00
patch 8.0.0378: possible overflow when reading corrupted undo file
Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King)
This commit is contained in:
Bram Moolenaar
parent
3eb1637b1b
commit
0c8485f0e4
@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
|||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
u_entry_T *uep;
|
u_entry_T *uep;
|
||||||
char_u **array;
|
char_u **array = NULL;
|
||||||
char_u *line;
|
char_u *line;
|
||||||
int line_len;
|
int line_len;
|
||||||
|
|
||||||
@ -1402,6 +1402,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
|||||||
uep->ue_size = undo_read_4c(bi);
|
uep->ue_size = undo_read_4c(bi);
|
||||||
if (uep->ue_size > 0)
|
if (uep->ue_size > 0)
|
||||||
{
|
{
|
||||||
|
if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
|
||||||
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
|
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
|
||||||
if (array == NULL)
|
if (array == NULL)
|
||||||
{
|
{
|
||||||
@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
|
|||||||
}
|
}
|
||||||
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
|
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
|
||||||
}
|
}
|
||||||
else
|
|
||||||
array = NULL;
|
|
||||||
uep->ue_array = array;
|
uep->ue_array = array;
|
||||||
|
|
||||||
for (i = 0; i < uep->ue_size; ++i)
|
for (i = 0; i < uep->ue_size; ++i)
|
||||||
|
|||||||
@ -764,6 +764,8 @@ static char *(features[]) =
|
|||||||
|
|
||||||
static int included_patches[] =
|
static int included_patches[] =
|
||||||
{ /* Add new patch number below this line */
|
{ /* Add new patch number below this line */
|
||||||
|
/**/
|
||||||
|
378,
|
||||||
/**/
|
/**/
|
||||||
377,
|
377,
|
||||||
/**/
|
/**/
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user