| 6e29c9d9 |
diff -rup vim74/src/spell.c vim74-new/src/spell.c
--- vim74/src/spell.c 2013-07-17 08:28:28.000000000 -0700
+++ vim74-new/src/spell.c 2017-02-23 12:18:03.096797651 -0800
@@ -4043,6 +4043,9 @@ spell_read_tree(fd, bytsp, idxsp, prefix
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3fffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */ |