Commit: patch 9.2.0487: viminfo: possible signed int overflow in register array
1 view
Skip to first unread message
Christian Brabandt
May 15, 2026, 1:00:17 PM (5 days ago) May 15
to vim...@googlegroups.com
patch 9.2.0487: viminfo: possible signed int overflow in register array
Commit: https://github.com/vim/vim/commit/ee49669e8f3b5ecdcfd2fdd08aeaac0e3de26ea8
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Fri May 15 16:44:46 2026 +0000
patch 9.2.0487: viminfo: possible signed int overflow in register array
Problem: viminfo: possible signed int overflow in register array growth
Solution: Cast to size_t (Yasuhiro Matsumoto)
The expression `limit * 2 * sizeof(string_T)` in read_viminfo_register()
multiplies in int and overflows once limit exceeds INT_MAX/2. Cast to
size_t first so the size computation stays unsigned. Defensive only;
reaching this path requires registers consuming many gigabytes.
closes: #20207
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 046cc8342..0714ec1ac 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 487,
/**/
486,
/**/
diff --git a/src/viminfo.c b/src/viminfo.c
index d05900544..bb84726c8 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1706,7 +1706,7 @@ read_viminfo_register(vir_T *virp, int force)
if (size == limit)
{
string_T *new_array = (string_T *)
- alloc(limit * 2 * sizeof(string_T));
+ alloc((size_t)limit * 2 * sizeof(string_T));
if (new_array == NULL)
{
Commit: https://github.com/vim/vim/commit/ee49669e8f3b5ecdcfd2fdd08aeaac0e3de26ea8
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Fri May 15 16:44:46 2026 +0000
patch 9.2.0487: viminfo: possible signed int overflow in register array
Problem: viminfo: possible signed int overflow in register array growth
Solution: Cast to size_t (Yasuhiro Matsumoto)
The expression `limit * 2 * sizeof(string_T)` in read_viminfo_register()
multiplies in int and overflows once limit exceeds INT_MAX/2. Cast to
size_t first so the size computation stays unsigned. Defensive only;
reaching this path requires registers consuming many gigabytes.
closes: #20207
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 046cc8342..0714ec1ac 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 487,
/**/
486,
/**/
diff --git a/src/viminfo.c b/src/viminfo.c
index d05900544..bb84726c8 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1706,7 +1706,7 @@ read_viminfo_register(vir_T *virp, int force)
if (size == limit)
{
string_T *new_array = (string_T *)
- alloc(limit * 2 * sizeof(string_T));
+ alloc((size_t)limit * 2 * sizeof(string_T));
if (new_array == NULL)
{
Reply all
Reply to author
Forward
0 new messages