vim-patch:9.0.2111: [security]: overflow in get_number

Problem:  [security]: overflow in get_number
Solution: Return 0 when the count gets too large

[security]: overflow in get_number

When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0

https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968

Co-authored-by: Christian Brabandt <cb@256bit.org>

2 files changed, 12 insertions, 0 deletions

diff --git a/src/nvim/input.c b/src/nvim/input.c
index 2f5eb49ce0..d6ade22fdb 100644
--- a/src/nvim/input.c
+++ b/src/nvim/input.c
@@ -180,6 +180,9 @@ int get_number(int colon, int *mouse_used)
     ui_cursor_goto(msg_row, msg_col);
     int c = safe_vgetc();
     if (ascii_isdigit(c)) {
+      if (n > INT_MAX / 10) {
+        return 0;
+      }
       n = n * 10 + c - '0';
       msg_putchar(c);
       typed++;
diff --git a/test/old/testdir/test_spell.vim b/test/old/testdir/test_spell.vim
index b2fc40ee08..a19b64a7de 100644
--- a/test/old/testdir/test_spell.vim
+++ b/test/old/testdir/test_spell.vim
@@ -1081,6 +1081,15 @@ func Test_spell_compatible()
   call StopVimInTerminal(buf)
 endfunc
 
+func Test_z_equal_with_large_count()
+  split
+  set spell
+  call setline(1, "ff")
+  norm 0z=337203685477580
+  set nospell
+  bwipe!
+endfunc
+
 let g:test_data_aff1 = [
       \"SET ISO8859-1",
       \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",