diff options
author | Leo Famulari <leo@famulari.name> | 2017-02-26 11:48:20 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-02-26 12:04:16 -0500 |
commit | ffa771d2b4c069c1fcf6d226d330ce1f514d7a49 (patch) | |
tree | 955324d78dc09f23861c2b832ff0c1dd6018027b /gnu/packages | |
parent | 2f1d20a8d473d9183460d38ed34f1c3d51860c78 (diff) | |
download | patches-ffa771d2b4c069c1fcf6d226d330ce1f514d7a49.tar patches-ffa771d2b4c069c1fcf6d226d330ce1f514d7a49.tar.gz |
gnu: vim: Use upstream fix for CVE-2017-5953.
* gnu/packages/patches/vim-CVE-2017-5953.patch: Adjust to match upstream changes.
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/vim-CVE-2017-5953.patch | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/gnu/packages/patches/vim-CVE-2017-5953.patch b/gnu/packages/patches/vim-CVE-2017-5953.patch index 7b66f1bf16..070f98c2cb 100644 --- a/gnu/packages/patches/vim-CVE-2017-5953.patch +++ b/gnu/packages/patches/vim-CVE-2017-5953.patch @@ -3,20 +3,28 @@ Fix CVE-2017-5953: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953 https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY -Patch adapted from upstream commit, correcting the transcription error -in the bounds check: +This change is adapted from the upstream source repository: -https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d +https://github.com/vim/vim/commit/6d3c8586fc81b022e9f06c611b9926108fb878c7 diff --git a/src/spellfile.c b/src/spellfile.c -index c7d87c6..8b1a3a6 100644 +index c7d87c6..00ef019 100644 --- a/src/spellfile.c +++ b/src/spellfile.c +@@ -1585,7 +1585,7 @@ spell_read_tree( + int prefixtree, /* TRUE for the prefix tree */ + int prefixcnt) /* when "prefixtree" is TRUE: prefix count */ + { +- int len; ++ long len; + int idx; + char_u *bp; + idx_T *ip; @@ -1595,6 +1595,9 @@ spell_read_tree( len = get4c(fd); if (len < 0) return SP_TRUNCERROR; -+ if (len >= 0x3fffffff) ++ if (len >= LONG_MAX / (long)sizeof(int)) + /* Invalid length, multiply with sizeof(int) would overflow. */ + return SP_FORMERROR; if (len > 0) |