guix/gnu/packages/patches/vim-CVE-2017-5953.patch
Leo Famulari 1ae04e3511
gnu: vim: Fix CVE-2017-5953.
* gnu/packages/patches/vim-CVE-2017-5953.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/vim.scm (vim)[source]: Use it.
2017-02-14 14:24:04 -05:00

24 lines
710 B
Diff

Fix CVE-2017-5953:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
Patch adapted from upstream commit, correcting the transcription error
in the bounds check:
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3fffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */