commit 016c6fae2740781a4c62f382673de1f86732533a
parent a4c111ae690448176ae584b9a2181923d1b2cdbd
Author: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 17 Nov 2023 07:11:56 +0800
vim-patch:9.0.2109: [security]: overflow in nv_z_get_count
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
2 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/src/nvim/normal.c b/src/nvim/normal.c
@@ -2695,6 +2695,10 @@ static bool nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
if (nchar == K_DEL || nchar == K_KDEL) {
n /= 10;
} else if (ascii_isdigit(nchar)) {
+ if (n > INT_MAX / 10) {
+ clearopbeep(cap->oap);
+ break;
+ }
n = n * 10 + (nchar - '0');
} else if (nchar == CAR) {
win_setheight(n);
diff --git a/test/old/testdir/test_normal.vim b/test/old/testdir/test_normal.vim
@@ -4164,4 +4164,9 @@ func Test_normal33_g_cmd_nonblank()
bw!
endfunc
+func Test_normal34_zet_large()
+ " shouldn't cause overflow
+ norm! z9765405999999999999
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
