Change-Id: Ia0b3b3cd1eba1016766565fddf2e395fa2f84903
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2098
Reviewed-by: Sharath George
Tested-by: gerrit-photon <photon-checkins@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,52 @@ |
0 |
+diff -rup vim74/src/undo.c vim74-new/src/undo.c |
|
1 |
+--- vim74/src/undo.c 2013-06-10 11:13:37.000000000 -0700 |
|
2 |
+@@ -1151,7 +1151,7 @@ unserialize_uep(fp, error, file_name) |
|
3 |
+ { |
|
4 |
+ int i; |
|
5 |
+ u_entry_T *uep; |
|
6 |
+- char_u **array; |
|
7 |
++ char_u **array = NULL; |
|
8 |
+ char_u *line; |
|
9 |
+ int line_len; |
|
10 |
+ |
|
11 |
+@@ -1168,7 +1168,8 @@ unserialize_uep(fp, error, file_name) |
|
12 |
+ uep->ue_size = get4c(fp); |
|
13 |
+ if (uep->ue_size > 0) |
|
14 |
+ { |
|
15 |
+- array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); |
|
16 |
++ if (uep->ue_size < LONG_MAX / (int)sizeof(char_u *)) |
|
17 |
++ array = (char_u **)U_ALLOC_LINE(sizeof(char_u *) * uep->ue_size); |
|
18 |
+ if (array == NULL) |
|
19 |
+ { |
|
20 |
+ *error = TRUE; |
|
21 |
+@@ -1176,8 +1177,6 @@ unserialize_uep(fp, error, file_name) |
|
22 |
+ } |
|
23 |
+ vim_memset(array, 0, sizeof(char_u *) * uep->ue_size); |
|
24 |
+ } |
|
25 |
+- else |
|
26 |
+- array = NULL; |
|
27 |
+ uep->ue_array = array; |
|
28 |
+ |
|
29 |
+ for (i = 0; i < uep->ue_size; ++i) |
|
30 |
+@@ -1572,7 +1571,7 @@ u_read_undo(name, hash, orig_name) |
|
31 |
+ linenr_T line_lnum; |
|
32 |
+ colnr_T line_colnr; |
|
33 |
+ linenr_T line_count; |
|
34 |
+- int num_head = 0; |
|
35 |
++ long num_head = 0; |
|
36 |
+ long old_header_seq, new_header_seq, cur_header_seq; |
|
37 |
+ long seq_last, seq_cur; |
|
38 |
+ long last_save_nr = 0; |
|
39 |
+@@ -1745,8 +1744,9 @@ u_read_undo(name, hash, orig_name) |
|
40 |
+ * When there are no headers uhp_table is NULL. */ |
|
41 |
+ if (num_head > 0) |
|
42 |
+ { |
|
43 |
+- uhp_table = (u_header_T **)U_ALLOC_LINE( |
|
44 |
+- num_head * sizeof(u_header_T *)); |
|
45 |
++ if (num_head < LONG_MAX / (long)sizeof(u_header_T *)) |
|
46 |
++ uhp_table = (u_header_T **)U_ALLOC_LINE( |
|
47 |
++ num_head * sizeof(u_header_T *)); |
|
48 |
+ if (uhp_table == NULL) |
|
49 |
+ goto error; |
|
50 |
+ } |
... | ... |
@@ -3,7 +3,7 @@ |
3 | 3 |
Summary: Text editor |
4 | 4 |
Name: vim |
5 | 5 |
Version: 7.4 |
6 |
-Release: 9%{?dist} |
|
6 |
+Release: 10%{?dist} |
|
7 | 7 |
License: Charityware |
8 | 8 |
URL: http://www.vim.org |
9 | 9 |
Group: Applications/Editors |
... | ... |
@@ -13,6 +13,7 @@ Source0: %{name}-%{version}.tar.bz2 |
13 | 13 |
%define sha1 vim=601abf7cc2b5ab186f40d8790e542f86afca86b7 |
14 | 14 |
Patch0: vim-CVE-2016-1248.patch |
15 | 15 |
Patch1: vim-7.4-CVE-2017-5953.patch |
16 |
+Patch2: vim-7.4-CVE-2017-6349_CVE-2017-6350.patch |
|
16 | 17 |
BuildRequires: ncurses-devel |
17 | 18 |
Requires: tcsh |
18 | 19 |
|
... | ... |
@@ -31,6 +32,7 @@ The vim extra package contains a extra files for powerful text editor. |
31 | 31 |
%setup -q -n %{name}74 |
32 | 32 |
%patch0 -p1 |
33 | 33 |
%patch1 -p1 |
34 |
+%patch2 -p1 |
|
34 | 35 |
echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h |
35 | 36 |
%build |
36 | 37 |
./configure \ |
... | ... |
@@ -159,6 +161,8 @@ make test |
159 | 159 |
%{_bindir}/vimdiff |
160 | 160 |
|
161 | 161 |
%changelog |
162 |
+* Tue Feb 28 2017 Anish Swaminathan <anishs@vmware.com> 7.4-10 |
|
163 |
+- Fix for CVE-2017-6349 and CVE-2017-6350 |
|
162 | 164 |
* Fri Feb 17 2017 Anish Swaminathan <anishs@vmware.com> 7.4-9 |
163 | 165 |
- Fix for CVE-2017-5953 |
164 | 166 |
* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> 7.4-8 |