aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-07-26 11:04:33 -04:00
Code

patch 9.0.2111: [security]: overflow in get_number

Browse Source 
Problem:  [security]: overflow in get_number
Solution: Return 0 when the count gets too large

[security]: overflow in get_number

When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt 2023-11-14 21:58:26 +01:00
parent 060623e4a3
commit 73b2d3790c
No known key found for this signature in database
GPG Key ID: F3F92DA383FDDE09
3 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/misc1.c
View File

@ -975,6 +975,8 @@ get_number(
c = safe_vgetc();
if (VIM_ISDIGIT(c))
{
if (n > INT_MAX / 10)
return 0;
n = n * 10 + c - '0';
msg_putchar(c);
++typed;

9
src/testdir/test_spell.vim
View File

@ -1077,6 +1077,15 @@ func Test_spell_compatible()
call StopVimInTerminal(buf)
endfunc
func Test_z_equal_with_large_count()
split
set spell
call setline(1, "ff")
norm 0z=337203685477580
set nospell
bwipe!
endfunc
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",

2
src/version.c
View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
2111,
/**/
2110,
/**/