Commit: patch 9.0.2109: [security]: overflow in nv_z_get_count
7 views
Skip to first unread message
Christian Brabandt
Nov 16, 2023, 4:15:16 PM11/16/23
to vim...@googlegroups.com
patch 9.0.2109: [security]: overflow in nv_z_get_count
Commit: https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:02:30 2023 +0100
patch 9.0.2109: [security]: overflow in nv_z_get_count
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/normal.c b/src/normal.c
index a06d61e6f..16b4b4506 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
if (nchar == K_DEL || nchar == K_KDEL)
n /= 10;
else if (VIM_ISDIGIT(nchar))
+ {
+ if (n > LONG_MAX / 10)
+ {
+ clearopbeep(cap->oap);
+ break;
+ }
n = n * 10 + (nchar - '0');
+ }
else if (nchar == CAR)
{
#ifdef FEAT_GUI
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index c7d37f066..6b889f46b 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
bw!
endfunc
+func Test_normal34_zet_large()
+ " shouldn't cause overflow
+ norm! z9765405999999999999
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 16db8f231..2f82473f5 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2109,
/**/
2108,
/**/
Commit: https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:02:30 2023 +0100
patch 9.0.2109: [security]: overflow in nv_z_get_count
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/normal.c b/src/normal.c
index a06d61e6f..16b4b4506 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
if (nchar == K_DEL || nchar == K_KDEL)
n /= 10;
else if (VIM_ISDIGIT(nchar))
+ {
+ if (n > LONG_MAX / 10)
+ {
+ clearopbeep(cap->oap);
+ break;
+ }
n = n * 10 + (nchar - '0');
+ }
else if (nchar == CAR)
{
#ifdef FEAT_GUI
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index c7d37f066..6b889f46b 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
bw!
endfunc
+func Test_normal34_zet_large()
+ " shouldn't cause overflow
+ norm! z9765405999999999999
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 16db8f231..2f82473f5 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2109,
/**/
2108,
/**/
Reply all
Reply to author
Forward
0 new messages