diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 07:14:07 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 07:16:04 +0800 |
| commit | 809b05bf276892101895a713e1b8d1c209e5dfb7 (patch) | |
| tree | 1bed22e6ccd92f27409b2472a10855c51851ba89 /src/nvim | |
| parent | 016c6fae2740781a4c62f382673de1f86732533a (diff) | |
| download | rneovim-809b05bf276892101895a713e1b8d1c209e5dfb7.tar.gz rneovim-809b05bf276892101895a713e1b8d1c209e5dfb7.tar.bz2 rneovim-809b05bf276892101895a713e1b8d1c209e5dfb7.zip | |
vim-patch:9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/nvim')
| -rw-r--r-- | src/nvim/ex_docmd.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c index fee712bbed..0ca6e8bedb 100644 --- a/src/nvim/ex_docmd.c +++ b/src/nvim/ex_docmd.c @@ -3552,7 +3552,7 @@ static linenr_T get_address(exarg_T *eap, char **ptr, cmd_addr_T addr_type, int if (i == '-') { lnum -= n; } else { - if (n >= INT32_MAX - lnum) { + if (lnum >= 0 && n >= INT32_MAX - lnum) { *errormsg = _(e_line_number_out_of_range); goto error; } |