vim-patch:9.0.2110: [security]: overflow in ex address parsing

Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200

Co-authored-by: Christian Brabandt <cb@256bit.org>

2 files changed, 5 insertions, 1 deletions

diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c
index fee712bbed..0ca6e8bedb 100644
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -3552,7 +3552,7 @@ static linenr_T get_address(exarg_T *eap, char **ptr, cmd_addr_T addr_type, int
         if (i == '-') {
           lnum -= n;
         } else {
-          if (n >= INT32_MAX - lnum) {
+          if (lnum >= 0 && n >= INT32_MAX - lnum) {
             *errormsg = _(e_line_number_out_of_range);
             goto error;
           }
diff --git a/test/old/testdir/test_excmd.vim b/test/old/testdir/test_excmd.vim
index 15c83709ad..c729ff4929 100644
--- a/test/old/testdir/test_excmd.vim
+++ b/test/old/testdir/test_excmd.vim
@@ -745,5 +745,9 @@ func Test_write_after_rename()
   bwipe!
 endfunc
 
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab