patch 9.0.2110: [security]: overflow in ex address parsing

Problem: [security]: overflow in ex address parsing Solution: Verify that lnum is positive, before substracting from LONG_MAX [security]: overflow in ex address parsing When parsing relative ex addresses one may unintentionally cause an overflow (because LONG_MAX - lnum will overflow for negative addresses). So verify that lnum is actually positive before doing the overflow check. Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-09-25 03:54:15 -04:00 · 2023-11-14 21:33:29 +01:00
parent 58f9befca1
commit 060623e4a3
3 changed files with 7 additions and 1 deletions
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
 		    lnum -= n;
 		else
 		{
-		    if (n >= LONG_MAX - lnum)
+		    if (lnum >= 0 && n >= LONG_MAX - lnum)
 		    {
 			emsg(_(e_line_number_out_of_range));
 			goto error;
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -724,5 +724,9 @@ func Test_write_after_rename()
  bwipe!
 endfunc

+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc

 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2110,
 /**/
    2109,
 /**/