Commit: patch 9.0.2111: [security]: overflow in get_number
8 views
Skip to first unread message
Christian Brabandt
Nov 16, 2023, 4:15:19 PM11/16/23
to vim...@googlegroups.com
patch 9.0.2111: [security]: overflow in get_number
Commit: https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:58:26 2023 +0100
patch 9.0.2111: [security]: overflow in get_number
Problem: [security]: overflow in get_number
Solution: Return 0 when the count gets too large
[security]: overflow in get_number
When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/misc1.c b/src/misc1.c
index 5b008c614..5f9828ebe 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -975,6 +975,8 @@ get_number(
c = safe_vgetc();
if (VIM_ISDIGIT(c))
{
+ if (n > INT_MAX / 10)
+ return 0;
n = n * 10 + c - '0';
msg_putchar(c);
++typed;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index be0bc5581..1ddcd83d5 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1077,6 +1077,15 @@ func Test_spell_compatible()
call StopVimInTerminal(buf)
endfunc
+func Test_z_equal_with_large_count()
+ split
+ set spell
+ call setline(1, "ff")
+ norm 0z=337203685477580
+ set nospell
+ bwipe!
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
diff --git a/src/version.c b/src/version.c
index 86fa528c8..66aff800b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2111,
/**/
2110,
/**/
Commit: https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968
Author: Christian Brabandt <c...@256bit.org>
Date: Tue Nov 14 21:58:26 2023 +0100
patch 9.0.2111: [security]: overflow in get_number
Problem: [security]: overflow in get_number
Solution: Return 0 when the count gets too large
[security]: overflow in get_number
When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/misc1.c b/src/misc1.c
index 5b008c614..5f9828ebe 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -975,6 +975,8 @@ get_number(
c = safe_vgetc();
if (VIM_ISDIGIT(c))
{
+ if (n > INT_MAX / 10)
+ return 0;
n = n * 10 + c - '0';
msg_putchar(c);
++typed;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index be0bc5581..1ddcd83d5 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1077,6 +1077,15 @@ func Test_spell_compatible()
call StopVimInTerminal(buf)
endfunc
+func Test_z_equal_with_large_count()
+ split
+ set spell
+ call setline(1, "ff")
+ norm 0z=337203685477580
+ set nospell
+ bwipe!
+endfunc
+
let g:test_data_aff1 = [
\"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
diff --git a/src/version.c b/src/version.c
index 86fa528c8..66aff800b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2111,
/**/
2110,
/**/
Reply all
Reply to author
Forward
0 new messages