From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Thu, 26 Oct 2023 21:29:32 +0200 Subject: patch 9.0.2068: [security] overflow in :history Problem: [security] overflow in :history Solution: Check that value fits into int The get_list_range() function, used to parse numbers for the :history and :clist command internally uses long variables to store the numbers. However function arguments are integer pointers, which can then overflow. Check that the return value from the vim_str2nr() function is not larger than INT_MAX and if yes, bail out with an error. I guess nobody uses a cmdline/clist history that needs so many entries... (famous last words). It is only a moderate vulnerability, so impact should be low. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm Signed-off-by: Christian Brabandt --- src/ex_getln.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src/ex_getln.c') diff --git a/src/ex_getln.c b/src/ex_getln.c index 9683e2ebd5..8f0be52088 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c @@ -4377,6 +4377,10 @@ get_list_range(char_u **str, int *num1, int *num2) { vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL); *str += len; + // overflow + if (num > INT_MAX) + return FAIL; + *num1 = (int)num; first = TRUE; } @@ -4387,8 +4391,12 @@ get_list_range(char_u **str, int *num1, int *num2) vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE, NULL); if (len > 0) { - *num2 = (int)num; *str = skipwhite(*str + len); + // overflow + if (num > INT_MAX) + return FAIL; + + *num2 = (int)num; } else if (!first) // no number given at all return FAIL; -- cgit v1.2.3