patch 8.0.0322: possible overflow with corrupted spell file

Problem: Possible overflow with spell file where the tree length is corrupted. Solution: Check for an invalid length (suggested by shqking)
2025-09-29 04:34:16 -04:00 · 2017-02-09 21:07:12 +01:00
parent 8cc2a9c062
commit 399c297aa9
2 changed files with 5 additions and 0 deletions
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
    len = get4c(fd);
    if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
    if (len > 0)
    {
 	/* Allocate the byte array. */
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    322,
 /**/
    321,
 /**/