Fix CVE-2017-5953: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY This change is adapted from the upstream source repository: https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7 diff --git a/src/spellfile.c b/src/spellfile.c index c7d87c6..00ef019 100644 --- a/src/spellfile.c +++ b/src/spellfile.c @@ -1585,7 +1585,7 @@ spell_read_tree( int prefixtree, /* TRUE for the prefix tree */ int prefixcnt) /* when "prefixtree" is TRUE: prefix count */ { - int len; + long len; int idx; char_u *bp; idx_T *ip; @@ -1595,6 +1595,9 @@ spell_read_tree( len = get4c(fd); if (len < 0) return SP_TRUNCERROR; + if (len >= LONG_MAX / (long)sizeof(int)) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) { /* Allocate the byte array. */