vim-patch:9.0.2109: [security]: overflow in nv_z_get_count

Problem: [security]: overflow in nv_z_get_count Solution: break out, if count is too large When getting the count for a normal z command, it may overflow for large counts given. So verify, that we can safely store the result in a long. https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-11-17 07:11:56 +0800
committer: zeertzjq <zeertzjq@outlook.com> 2023-11-17 07:13:49 +0800
commit: 016c6fae2740781a4c62f382673de1f86732533a (patch)
tree: 37f939b78b69594a997e8a7acdb94e05d726b8ef /src
parent: a4c111ae690448176ae584b9a2181923d1b2cdbd (diff)
download: rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.gz
rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.bz2
rneovim-016c6fae2740781a4c62f382673de1f86732533a.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/nvim/normal.c b/src/nvim/normal.c
index f0f3d35468..a68d1098e5 100644
--- a/src/nvim/normal.c
+++ b/src/nvim/normal.c
@@ -2695,6 +2695,10 @@ static bool nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
     if (nchar == K_DEL || nchar == K_KDEL) {
       n /= 10;
     } else if (ascii_isdigit(nchar)) {
+      if (n > INT_MAX / 10) {
+        clearopbeep(cap->oap);
+        break;
+      }
       n = n * 10 + (nchar - '0');
     } else if (nchar == CAR) {
       win_setheight(n);
author	zeertzjq <zeertzjq@outlook.com>	2023-11-17 07:11:56 +0800
committer	zeertzjq <zeertzjq@outlook.com>	2023-11-17 07:13:49 +0800
commit	016c6fae2740781a4c62f382673de1f86732533a (patch)
tree	37f939b78b69594a997e8a7acdb94e05d726b8ef /src
parent	a4c111ae690448176ae584b9a2181923d1b2cdbd (diff)
download	rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.gz rneovim-016c6fae2740781a4c62f382673de1f86732533a.tar.bz2 rneovim-016c6fae2740781a4c62f382673de1f86732533a.zip