aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-24 03:44:06 -04:00
Code Activity

patch 9.0.2109: [security]: overflow in nv_z_get_count

Browse Source 
Problem:  [security]: overflow in nv_z_get_count
Solution: break out, if count is too large

When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-11-14 21:02:30 +01:00
parent ac63787734
commit 58f9befca1
3 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/normal.c
View File

@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
if (nchar == K_DEL || nchar == K_KDEL) if (nchar == K_DEL || nchar == K_KDEL)
n /= 10; n /= 10;
else if (VIM_ISDIGIT(nchar)) else if (VIM_ISDIGIT(nchar))
{
if (n > LONG_MAX / 10)
{
clearopbeep(cap->oap);
break;
}
n = n * 10 + (nchar - '0'); n = n * 10 + (nchar - '0');
}
else if (nchar == CAR) else if (nchar == CAR)
{ {
#ifdef FEAT_GUI #ifdef FEAT_GUI

5
src/testdir/test_normal.vim
View File

@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
bw! bw!
endfunc endfunc
func Test_normal34_zet_large()
" shouldn't cause overflow
norm! z9765405999999999999
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
2109,
/**/ /**/
2108, 2108,
/**/ /**/