diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 07:11:56 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 07:13:49 +0800 |
| commit | 016c6fae2740781a4c62f382673de1f86732533a (patch) | |
| tree | 37f939b78b69594a997e8a7acdb94e05d726b8ef | |
| parent | a4c111ae690448176ae584b9a2181923d1b2cdbd (diff) | |
| download | rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.gz rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.bz2 rneovim-016c6fae2740781a4c62f382673de1f86732533a.zip | |
vim-patch:9.0.2109: [security]: overflow in nv_z_get_count
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
Co-authored-by: Christian Brabandt <cb@256bit.org>
| -rw-r--r-- | src/nvim/normal.c | 4 | ||||
| -rw-r--r-- | test/old/testdir/test_normal.vim | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/nvim/normal.c b/src/nvim/normal.c index f0f3d35468..a68d1098e5 100644 --- a/src/nvim/normal.c +++ b/src/nvim/normal.c @@ -2695,6 +2695,10 @@ static bool nv_z_get_count(cmdarg_T *cap, int *nchar_arg) if (nchar == K_DEL || nchar == K_KDEL) { n /= 10; } else if (ascii_isdigit(nchar)) { + if (n > INT_MAX / 10) { + clearopbeep(cap->oap); + break; + } n = n * 10 + (nchar - '0'); } else if (nchar == CAR) { win_setheight(n); diff --git a/test/old/testdir/test_normal.vim b/test/old/testdir/test_normal.vim index f5ef2cc4ca..6a8c15bd48 100644 --- a/test/old/testdir/test_normal.vim +++ b/test/old/testdir/test_normal.vim @@ -4164,4 +4164,9 @@ func Test_normal33_g_cmd_nonblank() bw! endfunc +func Test_normal34_zet_large() + " shouldn't cause overflow + norm! z9765405999999999999 +endfunc + " vim: shiftwidth=2 sts=2 expandtab |