To: vim_dev@googlegroups.com Subject: Patch 8.0.0377 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.0377 Problem: Possible overflow when reading corrupted undo file. Solution: Check if allocated size is not too big. (King) Files: src/undo.c *** ../vim-8.0.0376/src/undo.c 2017-01-17 22:09:41.310252893 +0100 --- src/undo.c 2017-02-26 18:10:43.165993259 +0100 *************** *** 1787,1793 **** linenr_T line_lnum; colnr_T line_colnr; linenr_T line_count; ! int num_head = 0; long old_header_seq, new_header_seq, cur_header_seq; long seq_last, seq_cur; long last_save_nr = 0; --- 1787,1793 ---- linenr_T line_lnum; colnr_T line_colnr; linenr_T line_count; ! long num_head = 0; long old_header_seq, new_header_seq, cur_header_seq; long seq_last, seq_cur; long last_save_nr = 0; *************** *** 1974,1980 **** * When there are no headers uhp_table is NULL. */ if (num_head > 0) { ! uhp_table = (u_header_T **)U_ALLOC_LINE( num_head * sizeof(u_header_T *)); if (uhp_table == NULL) goto error; --- 1974,1981 ---- * When there are no headers uhp_table is NULL. */ if (num_head > 0) { ! if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) ! uhp_table = (u_header_T **)U_ALLOC_LINE( num_head * sizeof(u_header_T *)); if (uhp_table == NULL) goto error; *** ../vim-8.0.0376/src/version.c 2017-02-26 15:27:18.463432807 +0100 --- src/version.c 2017-02-26 18:10:54.129917726 +0100 *************** *** 766,767 **** --- 766,769 ---- { /* Add new patch number below this line */ + /**/ + 377, /**/ -- How To Keep A Healthy Level Of Insanity: 5. Put decaf in the coffee maker for 3 weeks. Once everyone has gotten over their caffeine addictions, switch to espresso. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///