Hi all.
Integer overflow is found in src/undo.c:1405
(https://github.com/vim/vim/blob/master/src/undo.c#L1405).
Signed integer overflow might occur for sizeof(char_u *) * uep->ue_size at line
1405, if uep->ue_size can hold a value whose range is (0xffff ffff / 4, 0x7fff
ffff].
Assume that uep->ue_size is 0x4000 0001. sizeof(char_u *) * uep->ue_size would
overflow to 0x4, which is much smaller than the expected result, i.e. 0x1 0000
0004. As a result, smaller memory space is allocated and buffer overflow would
occur at line 1432.
Note that this issue is similar the integer overflow in
spellfile.c(https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY).
Attached is one possible patch.
Thanks a lot.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--- ./vim/src/undo.c 2017-02-07 17:04:12.000000000 +0800
+++ undo-io-patch.c 2017-02-13 12:52:53.000000000 +0800
@@ -1402,6 +1402,11 @@
uep->ue_size = undo_read_4c(bi);
if (uep->ue_size > 0)
{
+ if(uep->ue_size > 0x3fffffff)
+ {
+ *error = TRUE;
+ return uep;
+ }
array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size);
if (array == NULL)
{
