patch 8.0.0322: possible overflow with corrupted spell file Problem: Possible overflow with spell file where the tree length is corrupted. Solution: Check for an invalid length (suggested by shqking)

commit: 399c297aa93afe2c0a39e2a1b3f972aebba44c9d [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Thu Feb 09 21:07:12 2017 +0100
committer: Bram Moolenaar <Bram@vim.org> Thu Feb 09 21:07:12 2017 +0100
tree: f9175f98e1893debeaaaa62f4bd11be1c3baa7e4
parent: 8cc2a9c062fa38e133a62778518f769a423a2526 [diff]
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c

@@ -1595,6 +1595,9 @@
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */

diff --git a/src/version.c b/src/version.c
index 7a3d215..c1a5186 100644
--- a/src/version.c
+++ b/src/version.c

@@ -765,6 +765,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    322,
+/**/
     321,
 /**/
     320,
commit	399c297aa93afe2c0a39e2a1b3f972aebba44c9d	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Thu Feb 09 21:07:12 2017 +0100
committer	Bram Moolenaar <Bram@vim.org>	Thu Feb 09 21:07:12 2017 +0100
tree	f9175f98e1893debeaaaa62f4bd11be1c3baa7e4
parent	8cc2a9c062fa38e133a62778518f769a423a2526 [diff]