commit 809b05bf276892101895a713e1b8d1c209e5dfb7
parent 016c6fae2740781a4c62f382673de1f86732533a
Author: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 17 Nov 2023 07:14:07 +0800
vim-patch:9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c
@@ -3552,7 +3552,7 @@ static linenr_T get_address(exarg_T *eap, char **ptr, cmd_addr_T addr_type, int
if (i == '-') {
lnum -= n;
} else {
- if (n >= INT32_MAX - lnum) {
+ if (lnum >= 0 && n >= INT32_MAX - lnum) {
*errormsg = _(e_line_number_out_of_range);
goto error;
}
diff --git a/test/old/testdir/test_excmd.vim b/test/old/testdir/test_excmd.vim
@@ -745,5 +745,9 @@ func Test_write_after_rename()
bwipe!
endfunc
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+ call assert_fails(':--+foobar', 'E492:')
+endfunc
" vim: shiftwidth=2 sts=2 expandtab
