54 lines
1.5 KiB
Diff
54 lines
1.5 KiB
Diff
From 73b2d3790cad5694fc0ed0db2926e4220c48d968 Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Tue, 14 Nov 2023 21:58:26 +0100
|
|
Subject: [PATCH] patch 9.0.2111: [security]: overflow in get_number
|
|
|
|
Problem: [security]: overflow in get_number
|
|
Solution: Return 0 when the count gets too large
|
|
|
|
[security]: overflow in get_number
|
|
|
|
When using the z= command, we may overflow the count with values larger
|
|
than MAX_INT. So verify that we do not overflow and in case when an
|
|
overflow is detected, simply return 0
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/misc1.c | 2 ++
|
|
src/testdir/test_spell.vim | 9 +++++++++
|
|
2 files changed, 11 insertions(+)
|
|
|
|
diff --git a/src/misc1.c b/src/misc1.c
|
|
index 5b008c614a9bb..5f9828ebe9544 100644
|
|
--- a/src/misc1.c
|
|
+++ b/src/misc1.c
|
|
@@ -951,6 +951,8 @@ get_number(
|
|
c = safe_vgetc();
|
|
if (VIM_ISDIGIT(c))
|
|
{
|
|
+ if (n > INT_MAX / 10)
|
|
+ return 0;
|
|
n = n * 10 + c - '0';
|
|
msg_putchar(c);
|
|
++typed;
|
|
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
|
|
index be0bc55810f0e..1ddcd83d5117e 100644
|
|
--- a/src/testdir/test_spell.vim
|
|
+++ b/src/testdir/test_spell.vim
|
|
@@ -965,6 +965,15 @@ func Test_spell_screendump()
|
|
call delete('XtestSpell')
|
|
endfunc
|
|
|
|
+func Test_z_equal_with_large_count()
|
|
+ split
|
|
+ set spell
|
|
+ call setline(1, "ff")
|
|
+ norm 0z=337203685477580
|
|
+ set nospell
|
|
+ bwipe!
|
|
+endfunc
|
|
+
|
|
let g:test_data_aff1 = [
|
|
\"SET ISO8859-1",
|
|
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
|