vim-patch:9.0.2111: [security]: overflow in get_number

Problem: [security]: overflow in get_number Solution: Return 0 when the count gets too large [security]: overflow in get_number When using the z= command, we may overflow the count with values larger than MAX_INT. So verify that we do not overflow and in case when an overflow is detected, simply return 0 https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968 Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-11-17 07:18:12 +0800
committer: zeertzjq <zeertzjq@outlook.com> 2023-11-17 07:19:14 +0800
commit: 9d39ad63182cebe18f89152f2239ff8aeff58308 (patch)
tree: 827a1d203588a6688a3e7c6cf82d7417deaf4690 /src
parent: 809b05bf276892101895a713e1b8d1c209e5dfb7 (diff)
download: rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.tar.gz
rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.tar.bz2
rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/nvim/input.c b/src/nvim/input.c
index 2f5eb49ce0..d6ade22fdb 100644
--- a/src/nvim/input.c
+++ b/src/nvim/input.c
@@ -180,6 +180,9 @@ int get_number(int colon, int *mouse_used)
     ui_cursor_goto(msg_row, msg_col);
     int c = safe_vgetc();
     if (ascii_isdigit(c)) {
+      if (n > INT_MAX / 10) {
+        return 0;
+      }
       n = n * 10 + c - '0';
       msg_putchar(c);
       typed++;
author	zeertzjq <zeertzjq@outlook.com>	2023-11-17 07:18:12 +0800
committer	zeertzjq <zeertzjq@outlook.com>	2023-11-17 07:19:14 +0800
commit	9d39ad63182cebe18f89152f2239ff8aeff58308 (patch)
tree	827a1d203588a6688a3e7c6cf82d7417deaf4690 /src
parent	809b05bf276892101895a713e1b8d1c209e5dfb7 (diff)
download	rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.tar.gz rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.tar.bz2 rneovim-9d39ad63182cebe18f89152f2239ff8aeff58308.zip