An integer overflow at a ureadundo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.
{ "vanir_signatures": [ { "signature_type": "Line", "signature_version": "v1", "source": "https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c", "deprecated": false, "id": "CVE-2017-6349-260cca65", "target": { "file": "src/version.c" }, "digest": { "line_hashes": [ "146200493773228420153804765641940418619", "314743990962291907291106720178574898746", "294015953615122921992409032915718401429", "23790596524115856710310864074706897970" ], "threshold": 0.9 } }, { "signature_type": "Line", "signature_version": "v1", "source": "https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c", "deprecated": false, "id": "CVE-2017-6349-4d7b0936", "target": { "file": "src/undo.c" }, "digest": { "line_hashes": [ "202777071037264636644237966157513102449", "169405979389334728395909998646531862827", "43521535092828451297628597684586218422", "268214837310866677308917319304575416346", "50581039107388327460180361128905169050", "53980664813076921210413230109024477936", "319739332434004503882525520253637076725", "258917808384588758740510528648811589266" ], "threshold": 0.9 } }, { "signature_type": "Function", "signature_version": "v1", "source": "https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c", "deprecated": false, "id": "CVE-2017-6349-6f4552a6", "target": { "function": "u_read_undo", "file": "src/undo.c" }, "digest": { "length": 6782.0, "function_hash": "255998989319683190163563303382780760758" } } ] }