aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-23 03:43:49 -04:00
Code Activity

patch 8.0.0378: possible overflow when reading corrupted undo file

Browse Source 
Problem:    Another possible overflow when reading corrupted undo file.
Solution:   Check if allocated size is not too big. (King)
This commit is contained in:
Bram Moolenaar
2017-02-26 18:17:10 +01:00
parent 3eb1637b1b
commit 0c8485f0e4
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/undo.c
View File

@@ -1385,7 +1385,7 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
{
int i;
u_entry_T *uep;
char_u **array;
char_u **array = NULL;
char_u *line;
int line_len;
@@ -1402,7 +1402,8 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
uep->ue_size = undo_read_4c(bi);
if (uep->ue_size > 0)
{
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *))
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (array == NULL)
{
*error = TRUE;
@@ -1410,8 +1411,6 @@ unserialize_uep(bufinfo_T *bi, int *error, char_u *file_name)
}
vim_memset(array, 0, sizeof(char_u *) * uep->ue_size);
}
else
array = NULL;
uep->ue_array = array;
for (i = 0; i < uep->ue_size; ++i)