patch 9.0.2109: [security]: overflow in nv_z_get_countv9.0.2109

Problem: [security]: overflow in nv_z_get_count Solution: break out, if count is too large When getting the count for a normal z command, it may overflow for large counts given. So verify, that we can safely store the result in a long. Signed-off-by: Christian Brabandt <cb@256bit.org>
author: Christian Brabandt <cb@256bit.org> 2023-11-14 21:02:30 +0100
committer: Christian Brabandt <cb@256bit.org> 2023-11-16 22:04:37 +0100
commit: 58f9befca1fa172068effad7f2ea5a9d6a7b0cca (patch)
tree: 8bb272a54db549b297f4c79abd3024850a473809 /src/normal.c
parent: ac63787734fda2e294e477af52b3bd601517fa78 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/normal.c b/src/normal.c
index a06d61e6fc..16b4b45069 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
 	if (nchar == K_DEL || nchar == K_KDEL)
 	    n /= 10;
 	else if (VIM_ISDIGIT(nchar))
+	{
+	    if (n > LONG_MAX / 10)
+	    {
+		clearopbeep(cap->oap);
+		break;
+	    }
 	    n = n * 10 + (nchar - '0');
+	}
 	else if (nchar == CAR)
 	{
 #ifdef FEAT_GUI
author	Christian Brabandt <cb@256bit.org>	2023-11-14 21:02:30 +0100
committer	Christian Brabandt <cb@256bit.org>	2023-11-16 22:04:37 +0100
commit	58f9befca1fa172068effad7f2ea5a9d6a7b0cca (patch)
tree	8bb272a54db549b297f4c79abd3024850a473809 /src/normal.c
parent	ac63787734fda2e294e477af52b3bd601517fa78 (diff)