To: vim_dev@googlegroups.com Subject: Patch 8.0.0378 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.0378 Problem: Another possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King) Files: src/undo.c *** ../vim-8.0.0377/src/undo.c 2017-02-26 18:11:32.741651768 +0100 --- src/undo.c 2017-02-26 18:15:58.615822683 +0100 *************** *** 1385,1391 **** { int i; u_entry_T *uep; ! char_u **array; char_u *line; int line_len; --- 1385,1391 ---- { int i; u_entry_T *uep; ! char_u **array = NULL; char_u *line; int line_len; *************** *** 1402,1408 **** uep->ue_size = undo_read_4c(bi); if (uep->ue_size > 0) { ! array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); if (array == NULL) { *error = TRUE; --- 1402,1409 ---- uep->ue_size = undo_read_4c(bi); if (uep->ue_size > 0) { ! if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) ! array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); if (array == NULL) { *error = TRUE; *************** *** 1410,1417 **** } vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); } - else - array = NULL; uep->ue_array = array; for (i = 0; i < uep->ue_size; ++i) --- 1411,1416 ---- *** ../vim-8.0.0377/src/version.c 2017-02-26 18:11:32.741651768 +0100 --- src/version.c 2017-02-26 18:16:39.331542915 +0100 *************** *** 766,767 **** --- 766,769 ---- { /* Add new patch number below this line */ + /**/ + 378, /**/ -- How To Keep A Healthy Level Of Insanity: 6. In the memo field of all your checks, write "for sexual favors". /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///