From a4c111ae690448176ae584b9a2181923d1b2cdbd Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 06:41:03 +0800 Subject: vim-patch:9.0.2108: [security]: overflow with count for :s command Problem: [security]: overflow with count for :s command Solution: Abort the :s command if the count is too large If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Adds a test with INT_MAX as count and verify it correctly fails. It seems the return value on Windows using mingw compiler wraps around, so the initial test using :s/./b/9999999999999999999999999990 doesn't fail there, since the count is wrapping around several times and finally is no longer larger than 2147483647. So let's just use 2147483647 in the test, which hopefully will always cause a failure https://github.com/vim/vim/commit/ac63787734fda2e294e477af52b3bd601517fa78 Co-authored-by: Christian Brabandt --- test/old/testdir/test_substitute.vim | 1 + 1 file changed, 1 insertion(+) (limited to 'test') diff --git a/test/old/testdir/test_substitute.vim b/test/old/testdir/test_substitute.vim index 956d51893d..75062f13aa 100644 --- a/test/old/testdir/test_substitute.vim +++ b/test/old/testdir/test_substitute.vim @@ -206,6 +206,7 @@ func Test_substitute_count() call assert_equal(['foo foo', 'foo foo', 'foo foo', 'bar foo', 'bar foo'], \ getline(1, '$')) + call assert_fails('s/./b/2147483647', 'E1510:') bwipe! endfunc -- cgit