vim-patch:9.0.2107: [security]: FPE in adjust_plines_for_skipcol (#26082)

Problem: [security]: FPE in adjust_plines_for_skipcol Solution: don't divide by zero, return zero Prevent a floating point exception when calculating w_skipcol (which can happen with a small window when the number option is set and cpo+=n). Add a test to verify https://github.com/vim/vim/commit/cb0b99f0672d8446585d26e998343dceca17d1ce Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-11-17 08:40:02 +0800
committer: GitHub <noreply@github.com> 2023-11-17 08:40:02 +0800
commit: 6952b1951b6a60df8d477279f4451094fb51c413 (patch)
tree: b9ef8b5821c4c263f6d390ffeb4fa15b5f3ee2e4 /src/nvim/regexp.c
parent: 133a592d191719023a9151a489d80fcdbed93ed7 (diff)
download: rneovim-6952b1951b6a60df8d477279f4451094fb51c413.tar.gz
rneovim-6952b1951b6a60df8d477279f4451094fb51c413.tar.bz2
rneovim-6952b1951b6a60df8d477279f4451094fb51c413.zip
1 files changed, 7 insertions, 10 deletions
diff --git a/src/nvim/regexp.c b/src/nvim/regexp.c
index 9e08d2615b..dc7ff30513 100644
--- a/src/nvim/regexp.c
+++ b/src/nvim/regexp.c
@@ -1294,9 +1294,7 @@ static bool reg_match_visual(void)
     rex.line = (uint8_t *)reg_getline(rex.lnum);
     rex.input = rex.line + col;
 
-    unsigned cols_u = win_linetabsize(wp, rex.reg_firstlnum + rex.lnum, (char *)rex.line, col);
-    assert(cols_u <= MAXCOL);
-    colnr_T cols = (colnr_T)cols_u;
+    colnr_T cols = win_linetabsize(wp, rex.reg_firstlnum + rex.lnum, (char *)rex.line, col);
     if (cols < start || cols > end - (*p_sel == 'e')) {
       return false;
     }
@@ -6029,11 +6027,10 @@ static bool regmatch(uint8_t *scan, proftime_T *tm, int *timed_out)
           break;
 
         case RE_VCOL:
-          if (!re_num_cmp(win_linetabsize(rex.reg_win == NULL
-                                          ? curwin : rex.reg_win,
-                                          rex.reg_firstlnum + rex.lnum,
-                                          (char *)rex.line,
-                                          (colnr_T)(rex.input - rex.line)) + 1,
+          if (!re_num_cmp((unsigned)win_linetabsize(rex.reg_win == NULL ? curwin : rex.reg_win,
+                                                    rex.reg_firstlnum + rex.lnum,
+                                                    (char *)rex.line,
+                                                    (colnr_T)(rex.input - rex.line)) + 1,
                           scan)) {
             status = RA_NOMATCH;
           }
@@ -14754,9 +14751,9 @@ static int nfa_regmatch(nfa_regprog_T *prog, nfa_state_T *start, regsubs_T *subm
           result = col > t->state->val * ts;
         }
         if (!result) {
-          uintmax_t lts = win_linetabsize(wp, rex.reg_firstlnum + rex.lnum, (char *)rex.line, col);
+          int lts = win_linetabsize(wp, rex.reg_firstlnum + rex.lnum, (char *)rex.line, col);
           assert(t->state->val >= 0);
-          result = nfa_re_num_cmp((uintmax_t)t->state->val, op, lts + 1);
+          result = nfa_re_num_cmp((uintmax_t)t->state->val, op, (uintmax_t)lts + 1);
         }
         if (result) {
           add_here = true;
author	zeertzjq <zeertzjq@outlook.com>	2023-11-17 08:40:02 +0800
committer	GitHub <noreply@github.com>	2023-11-17 08:40:02 +0800
commit	6952b1951b6a60df8d477279f4451094fb51c413 (patch)
tree	b9ef8b5821c4c263f6d390ffeb4fa15b5f3ee2e4 /src/nvim/regexp.c
parent	133a592d191719023a9151a489d80fcdbed93ed7 (diff)
download	rneovim-6952b1951b6a60df8d477279f4451094fb51c413.tar.gz rneovim-6952b1951b6a60df8d477279f4451094fb51c413.tar.bz2 rneovim-6952b1951b6a60df8d477279f4451094fb51c413.zip