Re: Integer overflow in src/undo.c:1405

[shqking]

On Monday, February 13, 2017 at 12:54:12 PM UTC+8, shqking wrote:
> Hi all.
> 
> Integer overflow is found in src/undo.c:1405 
> (https://github.com/vim/vim/blob/master/src/undo.c#L1405).
> 
> Signed integer overflow might occur for sizeof(char_u *) * uep->ue_size at 
> line 1405, if uep->ue_size can hold a value whose range is (0xffff ffff / 4, 
> 0x7fff ffff].
> 
> Assume that uep->ue_size is 0x4000 0001. sizeof(char_u *) * uep->ue_size 
> would overflow to 0x4, which is much smaller than the expected result, i.e. 
> 0x1 0000 0004. As a result, smaller memory space is allocated and buffer 
> overflow would occur at line 1432.
> 
> Note that this issue is similar the integer overflow in 
> spellfile.c(https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY).
> 
> Attached is one possible patch.
> Thanks a lot.

One more similar issue is found in src/undo.c:1977 
(https://github.com/vim/vim/blob/master/src/undo.c#L1977).

Here, variable num_head is read from outside at line 1945. The multiplication 
at line 1977, i.e. num_head * sizeof(u_header_T *), might overflow if num_head
has a very big value, which would lead to buffer overflow later, i.e. the 
memory read within one loop (at line 2019).

Attached please find one possible patch.
Thanks.

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--- ./vim/src/undo.c	2017-02-07 17:04:12.000000000 +0800
+++ undo-io-1977-patch.c	2017-02-13 13:08:54.000000000 +0800
@@ -1972,7 +1972,7 @@
      * until we insert them into curbuf. The table remains sorted by the
      * sequence numbers of the headers.
      * When there are no headers uhp_table is NULL. */
-    if (num_head > 0)
+    if (num_head > 0 && num_head <= 0x3fffffff)
     {
 	uhp_table = (u_header_T **)U_ALLOC_LINE(
 					     num_head * sizeof(u_header_T *));