From 22cbc8a4e17ce61aa460c451a26e1bff2c3d2af9 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Sun, 19 Nov 2023 10:47:21 +0100
Subject: patch 9.0.2114: overflow detection not accurate when adding digits

Problem:  overflow detection not accurate when adding digits
Solution: Use a helper function

Use a helper function to better detect overflows before adding integer
digits to a long or an integer variable respectively. Signal the
overflow to the caller function.

closes: #13539

Signed-off-by: Christian Brabandt <cb@256bit.org>
Signed-off-by: Michael Henry <vim@drmikehenry.com>
Signed-off-by: Ernie Rael <errael@raelity.com>
---
 src/misc1.c         | 25 +++++++++++++++++++++++--
 src/normal.c        |  3 +--
 src/proto/misc1.pro |  2 ++
 src/version.c       |  2 ++
 4 files changed, 28 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/misc1.c b/src/misc1.c
index 5f9828ebe9..dc0deae67a 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -975,9 +975,8 @@ get_number(
 	c = safe_vgetc();
 	if (VIM_ISDIGIT(c))
 	{
-	    if (n > INT_MAX / 10)
+	    if (vim_append_digit_int(&n, c - '0') == FAIL)
 		return 0;
-	    n = n * 10 + c - '0';
 	    msg_putchar(c);
 	    ++typed;
 	}
@@ -2817,3 +2816,25 @@ may_trigger_modechanged(void)
     restore_v_event(v_event, &save_v_event);
 #endif
 }
+
+// For overflow detection, add a digit safely to an int value.
+    int
+vim_append_digit_int(int *value, int digit)
+{
+    int x = *value;
+    if (x > ((INT_MAX - digit) / 10))
+	return FAIL;
+    *value = x * 10 + digit;
+    return OK;
+}
+
+// For overflow detection, add a digit safely to a long value.
+    int
+vim_append_digit_long(long *value, int digit)
+{
+    long x = *value;
+    if (x > ((LONG_MAX - (long)digit) / 10))
+	return FAIL;
+    *value = x * 10 + (long)digit;
+    return OK;
+}
diff --git a/src/normal.c b/src/normal.c
index 16b4b45069..61a19c13a4 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -2563,12 +2563,11 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
 	    n /= 10;
 	else if (VIM_ISDIGIT(nchar))
 	{
-	    if (n > LONG_MAX / 10)
+	    if (vim_append_digit_long(&n, nchar - '0') == FAIL)
 	    {
 		clearopbeep(cap->oap);
 		break;
 	    }
-	    n = n * 10 + (nchar - '0');
 	}
 	else if (nchar == CAR)
 	{
diff --git a/src/proto/misc1.pro b/src/proto/misc1.pro
index b87b7ea747..2b8e9d8f26 100644
--- a/src/proto/misc1.pro
+++ b/src/proto/misc1.pro
@@ -53,4 +53,6 @@ int path_with_url(char_u *fname);
 dict_T *get_v_event(save_v_event_T *sve);
 void restore_v_event(dict_T *v_event, save_v_event_T *sve);
 void may_trigger_modechanged(void);
+int vim_append_digit_int(int *value, int digit);
+int vim_append_digit_long(long *value, int digit);
 /* vim: set ft=c : */
diff --git a/src/version.c b/src/version.c
index 00b532075c..2a0a6e77dd 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2114,
 /**/
     2113,
 /**/
-- 
cgit v1.2.3