vim-patch:9.0.2068: [security] overflow in :history (#25794)

Problem:  [security] overflow in :history
Solution: Check that value fits into int

The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.

Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).

It is only a moderate vulnerability, so impact should be low.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm

https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a

N/A patch:
vim-patch:9.0.2073: typo in quickfix.c comments

Co-authored-by: Christian Brabandt <cb@256bit.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/test/old/testdir/test_history.vim b/test/old/testdir/test_history.vim
index bb6d671725..482328ab4a 100644
--- a/test/old/testdir/test_history.vim
+++ b/test/old/testdir/test_history.vim
@@ -254,4 +254,12 @@ func Test_history_crypt_key()
   set key& bs& ts&
 endfunc
 
+" The following used to overflow and causing an use-after-free
+func Test_history_max_val()
+
+  set history=10
+  call assert_fails(':history 2147483648', 'E1510:')
+  set history&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab