From 060623e4a3bc72b011e7cd92bedb3bfb64e06200 Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Tue, 14 Nov 2023 21:33:29 +0100 Subject: patch 9.0.2110: [security]: overflow in ex address parsing Problem: [security]: overflow in ex address parsing Solution: Verify that lnum is positive, before substracting from LONG_MAX [security]: overflow in ex address parsing When parsing relative ex addresses one may unintentionally cause an overflow (because LONG_MAX - lnum will overflow for negative addresses). So verify that lnum is actually positive before doing the overflow check. Signed-off-by: Christian Brabandt --- src/ex_docmd.c | 2 +- src/testdir/test_excmd.vim | 4 ++++ src/version.c | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/ex_docmd.c b/src/ex_docmd.c index 06837ac92c..01d411a632 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -4644,7 +4644,7 @@ get_address( lnum -= n; else { - if (n >= LONG_MAX - lnum) + if (lnum >= 0 && n >= LONG_MAX - lnum) { emsg(_(e_line_number_out_of_range)); goto error; diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim index 3637351f63..47fc26726d 100644 --- a/src/testdir/test_excmd.vim +++ b/src/testdir/test_excmd.vim @@ -724,5 +724,9 @@ func Test_write_after_rename() bwipe! endfunc +" catch address lines overflow +func Test_ex_address_range_overflow() + call assert_fails(':--+foobar', 'E492:') +endfunc " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 2f82473f59..86fa528c8a 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 2110, /**/ 2109, /**/ -- cgit v1.2.3