Commit: patch 9.0.2110: [security]: overflow in ex address parsing
8 views
Skip to first unread message
Christian Brabandt
Nov 16, 2023, 4:15:17 PM11/16/23
to vim...@googlegroups.com
patch 9.0.2110: [security]: overflow in ex address parsing
Commit: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:33:29 2023 +0100
patch 9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 06837ac92..01d411a63 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
lnum -= n;
else
{
- if (n >= LONG_MAX - lnum)
+ if (lnum >= 0 && n >= LONG_MAX - lnum)
{
emsg(_(e_line_number_out_of_range));
goto error;
diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 3637351f6..47fc26726 100644
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -724,5 +724,9 @@ func Test_write_after_rename()
bwipe!
endfunc
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+ call assert_fails(':--+foobar', 'E492:')
+endfunc
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 2f82473f5..86fa528c8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2110,
/**/
2109,
/**/
Commit: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:33:29 2023 +0100
patch 9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 06837ac92..01d411a63 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
lnum -= n;
else
{
- if (n >= LONG_MAX - lnum)
+ if (lnum >= 0 && n >= LONG_MAX - lnum)
{
emsg(_(e_line_number_out_of_range));
goto error;
diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 3637351f6..47fc26726 100644
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -724,5 +724,9 @@ func Test_write_after_rename()
bwipe!
endfunc
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+ call assert_fails(':--+foobar', 'E492:')
+endfunc
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 2f82473f5..86fa528c8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2110,
/**/
2109,
/**/
Reply all
Reply to author
Forward
0 new messages