diff options
-rw-r--r-- | gnu/packages/patches/vim-CVE-2017-5953.patch | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch index 7b66f1bf16..070f98c2cb 100644 --- a/gnu/packages/patches/vim-CVE-2017-5953.patch +++ b/gnu/packages/patches/vim-CVE-2017-5953.patch @@ -3,20 +3,28 @@ Fix CVE-2017-5953: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY -Patch adapted from upstream commit, correcting the transcription error -in the bounds check: +This change is adapted from the upstream source repository: -https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d +https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7 diff --git a/src/spellfile.c b/src/spellfile.c -index c7d87c6..8b1a3a6 100644 +index c7d87c6..00ef019 100644 --- a/src/spellfile.c +++ b/src/spellfile.c +@@ -1585,7 +1585,7 @@ spell_read_tree( + int prefixtree, /* TRUE for the prefix tree */ + int prefixcnt) /* when "prefixtree" is TRUE: prefix count */ + { +- int len; ++ long len; + int idx; + char_u *bp; + idx_T *ip; @@ -1595,6 +1595,9 @@ spell_read_tree( len = get4c(fd); if (len < 0) return SP_TRUNCERROR; -+ if (len >= 0x3fffffff) ++ if (len >= LONG_MAX / (long)sizeof(int)) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) |