diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-11-14 21:02:30 +0100 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-11-16 22:04:37 +0100 |
| commit | 58f9befca1fa172068effad7f2ea5a9d6a7b0cca (patch) | |
| tree | 8bb272a54db549b297f4c79abd3024850a473809 /src | |
| parent | ac63787734fda2e294e477af52b3bd601517fa78 (diff) | |
patch 9.0.2109: [security]: overflow in nv_z_get_countv9.0.2109
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/normal.c | 7 | ||||
| -rw-r--r-- | src/testdir/test_normal.vim | 5 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 14 insertions, 0 deletions
diff --git a/src/normal.c b/src/normal.c index a06d61e6fc..16b4b45069 100644 --- a/src/normal.c +++ b/src/normal.c @@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg) if (nchar == K_DEL || nchar == K_KDEL) n /= 10; else if (VIM_ISDIGIT(nchar)) + { + if (n > LONG_MAX / 10) + { + clearopbeep(cap->oap); + break; + } n = n * 10 + (nchar - '0'); + } else if (nchar == CAR) { #ifdef FEAT_GUI diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim index c7d37f066f..6b889f46b3 100644 --- a/src/testdir/test_normal.vim +++ b/src/testdir/test_normal.vim @@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank() bw! endfunc +func Test_normal34_zet_large() + " shouldn't cause overflow + norm! z9765405999999999999 +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 16db8f2312..2f82473f59 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2109, +/**/ 2108, /**/ 2107, |