Fix CVE-2017-5953: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY Patch adapted from upstream commit, correcting the transcription error in the bounds check: https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d diff --git a/src/spellfile.c b/src/spellfile.c index c7d87c6..8b1a3a6 100644 --- a/src/spellfile.c +++ b/src/spellfile.c @@ -1595,6 +1595,9 @@ spell_read_tree( len = get4c(fd); if (len < 0) return SP_TRUNCERROR; + if (len >= 0x3fffffff) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) { /* Allocate the byte array. */