Hi all.
Suspicious integer overflow is found in
src/spellfile.c:1607.(https://github.com/vim/vim/blob/master/src/spellfile.c#L1607)
Signed integer overflow might occur for len * sizeof(int) at line 1607, if len
can hold a value whose range is (0xffff ffff / 4, 0x7fff ffff].
Assume that len is 0x4000 0001. len * sizeof(int) would overflow to 0x4, which
is much smaller than the expected result, i.e. 0x1 0000 0004.
As a result, smaller memory space is allocated at line 1607 and buffer overflow
would occur at line 1613.
Note that len is read for a file fd.
Since I'm not very familiar with the source code of vim, I'm not sure whether
the concrete values of len can be controlled by adversaries or not.
If so, this issue is a critical bug. If not, it's a false positive and please
ignore it.
Attached please find one possible patch.
Thanks a lot.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
--- ./vim/src/spellfile.c 2017-02-07 17:04:11.000000000 +0800
+++ spellfile-patched.c 2017-02-08 10:39:20.000000000 +0800
@@ -1595,7 +1595,7 @@
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
- if (len > 0)
+ if (len > 0 && len < 0x3fffffff)
{
/* Allocate the byte array. */
bp = lalloc((long_u)len, TRUE);
