aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-02-26 11:48:20 -0500
committerLeo Famulari <leo@famulari.name>2017-02-26 12:04:16 -0500
commitffa771d2b4c069c1fcf6d226d330ce1f514d7a49 (patch)
tree955324d78dc09f23861c2b832ff0c1dd6018027b /gnu/packages
parent2f1d20a8d473d9183460d38ed34f1c3d51860c78 (diff)
downloadpatches-ffa771d2b4c069c1fcf6d226d330ce1f514d7a49.tar
patches-ffa771d2b4c069c1fcf6d226d330ce1f514d7a49.tar.gz
gnu: vim: Use upstream fix for CVE-2017-5953.
* gnu/packages/patches/vim-CVE-2017-5953.patch: Adjust to match upstream changes.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/patches/vim-CVE-2017-5953.patch18
1 files changed, 13 insertions, 5 deletions
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch
index 7b66f1bf16..070f98c2cb 100644
--- a/gnu/packages/patches/vim-CVE-2017-5953.patch
+++ b/gnu/packages/patches/vim-CVE-2017-5953.patch
@@ -3,20 +3,28 @@ Fix CVE-2017-5953:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953
https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY
-Patch adapted from upstream commit, correcting the transcription error
-in the bounds check:
+This change is adapted from the upstream source repository:
-https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
+https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7
diff --git a/src/spellfile.c b/src/spellfile.c
-index c7d87c6..8b1a3a6 100644
+index c7d87c6..00ef019 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
+@@ -1585,7 +1585,7 @@ spell_read_tree(
+ int prefixtree, /* TRUE for the prefix tree */
+ int prefixcnt) /* when "prefixtree" is TRUE: prefix count */
+ {
+- int len;
++ long len;
+ int idx;
+ char_u *bp;
+ idx_T *ip;
@@ -1595,6 +1595,9 @@ spell_read_tree(
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
-+ if (len >= 0x3fffffff)
++ if (len >= LONG_MAX / (long)sizeof(int))
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)