modeline: Handle version number overflow. #5450

Closes #5449

A file containing the string "vim" followed by a very large number in a modeline
location will trigger an overflow in getdigits() which is called by
chk_modeline() when trying to parse the version number.

Add getdigits_safe(), which does not assert overflows, but reports them to the
caller.

1 files changed, 7 insertions, 3 deletions

diff --git a/src/nvim/buffer.c b/src/nvim/buffer.c
index 5fb011885e..a573c20648 100644
--- a/src/nvim/buffer.c
+++ b/src/nvim/buffer.c
@@ -4509,7 +4509,7 @@ chk_modeline (
   char_u      *e;
   char_u      *linecopy;                /* local copy of any modeline found */
   int prev;
-  int vers;
+  intmax_t vers;
   int end;
   int retval = OK;
   char_u      *save_sourcing_name;
@@ -4528,7 +4528,10 @@ chk_modeline (
           e = s + 4;
         else
           e = s + 3;
-        vers = getdigits_int(&e);
+        if (getdigits_safe(&e, &vers) != OK) {
+          continue;
+        }
+
         if (*e == ':'
             && (s[0] != 'V'
                 || STRNCMP(skipwhite(e + 1), "set", 3) == 0)
@@ -4536,8 +4539,9 @@ chk_modeline (
                 || (VIM_VERSION_100 >= vers && isdigit(s[3]))
                 || (VIM_VERSION_100 < vers && s[3] == '<')
                 || (VIM_VERSION_100 > vers && s[3] == '>')
-                || (VIM_VERSION_100 == vers && s[3] == '=')))
+                || (VIM_VERSION_100 == vers && s[3] == '='))) {
           break;
+        }
       }
     }
     prev = *s;