2 files changed, 13 insertions, 0 deletions

diff --git a/src/nvim/regexp_nfa.c b/src/nvim/regexp_nfa.c
index ab189c0c03..abbb5a3867 100644
--- a/src/nvim/regexp_nfa.c
+++ b/src/nvim/regexp_nfa.c
@@ -1499,6 +1499,10 @@ static int nfa_regatom(void)
       if (c == '<' || c == '>')
         c = getchr();
       while (ascii_isdigit(c)) {
+        if (n > (INT_MAX - (c - '0')) / 10) {
+          EMSG(_("E951: \\% value too large"));
+          return FAIL;
+        }
         n = n * 10 + (c - '0');
         c = getchr();
       }
diff --git a/test/functional/eval/match_functions_spec.lua b/test/functional/eval/match_functions_spec.lua
index 0ec465a34c..421b9e7ea3 100644
--- a/test/functional/eval/match_functions_spec.lua
+++ b/test/functional/eval/match_functions_spec.lua
@@ -156,3 +156,12 @@ describe('matchaddpos()', function()
     ]], {[1] = {foreground = Screen.colors.Red}, [2] = {bold = true, foreground = Screen.colors.Blue1}})
   end)
 end)
+
+describe('nfa_regatom() column search', function()
+  it('fails when column value is greater than a 64-bit integer value', function()
+    expect_err("Vim:E951: \\%% value too large", command, "/\\v%18446744071562067968c")
+  end)
+  it('fails when column value is greater than a 32-bit integer value', function()
+    expect_err("Vim:E951: \\%% value too large", command, "/\\v%2147483648c")
+  end)
+end)