Source:
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
Script was adjusted for vim-7.4.1831

commit 399c297aa93afe2c0a39e2a1b3f972aebba44c9d
Author: Bram Moolenaar <Bram@vim.org>
Date:   Thu Feb 9 21:07:12 2017 +0100

    patch 8.0.0322: possible overflow with corrupted spell file
    
    Problem:    Possible overflow with spell file where the tree length is
                corrupted.
    Solution:   Check for an invalid length (suggested by shqking)

diff --git a/src/spell.c b/src/spell.c
index c7d87c6c7..8b1a3a633 100644
--- a/src/spell.c
+++ b/src/spell.c
@@ -1595,6 +1595,9 @@ spell_read_tree(
     len = get4c(fd);
     if (len < 0)
 	return SP_TRUNCERROR;
+    if (len >= 0x3ffffff)
+	/* Invalid length, multiply with sizeof(int) would overflow. */
+	return SP_FORMERROR;
     if (len > 0)
     {
 	/* Allocate the byte array. */