shqking wrote: > Suspicious integer overflow is found in > src/spellfile.c:1607.(https://github.com/vim/vim/blob/master/src/spellfile.c#L1607) > > Signed integer overflow might occur for len * sizeof(int) at line 1607, if > len can hold a value whose range is (0xffff ffff / 4, 0x7fff ffff]. > > Assume that len is 0x4000 0001. len * sizeof(int) would overflow to 0x4, > which is much smaller than the expected result, i.e. 0x1 0000 0004. > As a result, smaller memory space is allocated at line 1607 and buffer > overflow would occur at line 1613. > > Note that len is read for a file fd. > Since I'm not very familiar with the source code of vim, I'm not sure > whether the concrete values of len can be controlled by adversaries or > not. > If so, this issue is a critical bug. If not, it's a false positive and > please ignore it. > > Attached please find one possible patch.
Thanks. The check is OK, but it should return an error code. I'll make it that way. -- It might look like I'm doing nothing, but at the cellular level I'm really quite busy. /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
