To: vim_dev@googlegroups.com Subject: Patch 8.0.0322 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.0.0322 Problem: Possible overflow with spell file where the tree length is corrupted. Solution: Check for an invalid length (suggested by shqking) Files: src/spellfile.c *** ../vim-8.0.0321/src/spellfile.c 2016-08-29 22:42:20.000000000 +0200 --- src/spellfile.c 2017-02-09 20:54:32.818677322 +0100 *************** *** 1595,1600 **** --- 1595,1603 ---- len = get4c(fd); if (len < 0) return SP_TRUNCERROR; + if (len >= 0x3ffffff) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) { /* Allocate the byte array. */ *** ../vim-8.0.0321/src/version.c 2017-02-09 20:22:25.997738785 +0100 --- src/version.c 2017-02-09 21:06:28.109105811 +0100 *************** *** 766,767 **** --- 766,769 ---- { /* Add new patch number below this line */ + /**/ + 322, /**/ -- System administrators are just like women: You can't live with them and you can't live without them. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///