diff options
author | Christian Brabandt <cb@256bit.org> | 2023-11-14 21:58:26 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-11-16 22:04:38 +0100 |
commit | 73b2d3790cad5694fc0ed0db2926e4220c48d968 (patch) | |
tree | cb4526fbeb18d3ba71e57ea82c57d5d931534b5e /src | |
parent | 060623e4a3bc72b011e7cd92bedb3bfb64e06200 (diff) |
patch 9.0.2111: [security]: overflow in get_numberv9.0.2111
Problem: [security]: overflow in get_number
Solution: Return 0 when the count gets too large
[security]: overflow in get_number
When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/misc1.c | 2 | ||||
-rw-r--r-- | src/testdir/test_spell.vim | 9 | ||||
-rw-r--r-- | src/version.c | 2 |
3 files changed, 13 insertions, 0 deletions
diff --git a/src/misc1.c b/src/misc1.c index 5b008c614a..5f9828ebe9 100644 --- a/src/misc1.c +++ b/src/misc1.c @@ -975,6 +975,8 @@ get_number( c = safe_vgetc(); if (VIM_ISDIGIT(c)) { + if (n > INT_MAX / 10) + return 0; n = n * 10 + c - '0'; msg_putchar(c); ++typed; diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim index be0bc55810..1ddcd83d51 100644 --- a/src/testdir/test_spell.vim +++ b/src/testdir/test_spell.vim @@ -1077,6 +1077,15 @@ func Test_spell_compatible() call StopVimInTerminal(buf) endfunc +func Test_z_equal_with_large_count() + split + set spell + call setline(1, "ff") + norm 0z=337203685477580 + set nospell + bwipe! +endfunc + let g:test_data_aff1 = [ \"SET ISO8859-1", \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", diff --git a/src/version.c b/src/version.c index 86fa528c8a..66aff800bd 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2111, +/**/ 2110, /**/ 2109, |