51 lines
1.5 KiB
Diff
51 lines
1.5 KiB
Diff
From 060623e4a3bc72b011e7cd92bedb3bfb64e06200 Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Tue, 14 Nov 2023 21:33:29 +0100
|
|
Subject: [PATCH] patch 9.0.2110: [security]: overflow in ex address parsing
|
|
|
|
Problem: [security]: overflow in ex address parsing
|
|
Solution: Verify that lnum is positive, before substracting from
|
|
LONG_MAX
|
|
|
|
[security]: overflow in ex address parsing
|
|
|
|
When parsing relative ex addresses one may unintentionally cause an
|
|
overflow (because LONG_MAX - lnum will overflow for negative addresses).
|
|
|
|
So verify that lnum is actually positive before doing the overflow
|
|
check.
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/ex_docmd.c | 2 +-
|
|
src/testdir/test_excmd.vim | 4 ++++
|
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
|
|
index 06837ac92c55c..01d411a632ccf 100644
|
|
--- a/src/ex_docmd.c
|
|
+++ b/src/ex_docmd.c
|
|
@@ -4603,7 +4603,7 @@ get_address(
|
|
lnum -= n;
|
|
else
|
|
{
|
|
- if (n >= LONG_MAX - lnum)
|
|
+ if (lnum >= 0 && n >= LONG_MAX - lnum)
|
|
{
|
|
emsg(_(e_line_number_out_of_range));
|
|
goto error;
|
|
diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
|
|
index 3637351f636c0..47fc26726d5e6 100644
|
|
--- a/src/testdir/test_excmd.vim
|
|
+++ b/src/testdir/test_excmd.vim
|
|
@@ -725,5 +725,9 @@ func Test_write_after_rename()
|
|
bwipe!
|
|
endfunc
|
|
|
|
+" catch address lines overflow
|
|
+func Test_ex_address_range_overflow()
|
|
+ call assert_fails(':--+foobar', 'E492:')
|
|
+endfunc
|
|
|
|
" vim: shiftwidth=2 sts=2 expandtab
|