diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-11-14 21:33:29 +0100 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-11-16 22:04:38 +0100 |
| commit | 060623e4a3bc72b011e7cd92bedb3bfb64e06200 (patch) | |
| tree | 10d957de477543bcf11d3973dabc0a62f1981520 /src | |
| parent | 58f9befca1fa172068effad7f2ea5a9d6a7b0cca (diff) | |
patch 9.0.2110: [security]: overflow in ex address parsingv9.0.2110
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/ex_docmd.c | 2 | ||||
| -rw-r--r-- | src/testdir/test_excmd.vim | 4 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 7 insertions, 1 deletions
diff --git a/src/ex_docmd.c b/src/ex_docmd.c index 06837ac92c..01d411a632 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -4644,7 +4644,7 @@ get_address( lnum -= n; else { - if (n >= LONG_MAX - lnum) + if (lnum >= 0 && n >= LONG_MAX - lnum) { emsg(_(e_line_number_out_of_range)); goto error; diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim index 3637351f63..47fc26726d 100644 --- a/src/testdir/test_excmd.vim +++ b/src/testdir/test_excmd.vim @@ -724,5 +724,9 @@ func Test_write_after_rename() bwipe! endfunc +" catch address lines overflow +func Test_ex_address_range_overflow() + call assert_fails(':--+foobar', 'E492:') +endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 2f82473f59..86fa528c8a 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2110, +/**/ 2109, /**/ 2108, |