patch 8.0.0322: possible overflow with corrupted spell file
Problem: Possible overflow with spell file where the tree length is
corrupted.
Solution: Check for an invalid length (suggested by shqking)
diff --git a/src/spellfile.c b/src/spellfile.c
index c7d87c6..8b1a3a6 100644
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -1595,6 +1595,9 @@
len = get4c(fd);
if (len < 0)
return SP_TRUNCERROR;
+ if (len >= 0x3ffffff)
+ /* Invalid length, multiply with sizeof(int) would overflow. */
+ return SP_FORMERROR;
if (len > 0)
{
/* Allocate the byte array. */