patch 9.0.2068: [security] overflow in :historyv9.0.2068

Problem: [security] overflow in :history Solution: Check that value fits into int The get_list_range() function, used to parse numbers for the :history and :clist command internally uses long variables to store the numbers. However function arguments are integer pointers, which can then overflow. Check that the return value from the vim_str2nr() function is not larger than INT_MAX and if yes, bail out with an error. I guess nobody uses a cmdline/clist history that needs so many entries... (famous last words). It is only a moderate vulnerability, so impact should be low. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm Signed-off-by: Christian Brabandt <cb@256bit.org>
author: Christian Brabandt <cb@256bit.org> 2023-10-26 21:29:32 +0200
committer: Christian Brabandt <cb@256bit.org> 2023-10-26 21:29:32 +0200
commit: 9198c1f2b1ddecde22af918541e0de2a32f0f45a (patch)
tree: 2af602f979b00fea18542cd679191c320009f9b2 /src/cmdhist.c
parent: 5f5131d775bf9966976e39aa38b070036cbfe969 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/cmdhist.c b/src/cmdhist.c
index d398ca7a68..96a9b3e95b 100644
--- a/src/cmdhist.c
+++ b/src/cmdhist.c
@@ -742,7 +742,10 @@ ex_history(exarg_T *eap)
 	end = arg;
     if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
     {
-	semsg(_(e_trailing_characters_str), end);
+	if (*end != NUL)
+	    semsg(_(e_trailing_characters_str), end);
+	else
+	    semsg(_(e_val_too_large), arg);
 	return;
     }
author	Christian Brabandt <cb@256bit.org>	2023-10-26 21:29:32 +0200
committer	Christian Brabandt <cb@256bit.org>	2023-10-26 21:29:32 +0200
commit	9198c1f2b1ddecde22af918541e0de2a32f0f45a (patch)
tree	2af602f979b00fea18542cd679191c320009f9b2 /src/cmdhist.c
parent	5f5131d775bf9966976e39aa38b070036cbfe969 (diff)