51 lines
1.4 KiB
Diff
51 lines
1.4 KiB
Diff
From 58f9befca1fa172068effad7f2ea5a9d6a7b0cca Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Tue, 14 Nov 2023 21:02:30 +0100
|
|
Subject: [PATCH] patch 9.0.2109: [security]: overflow in nv_z_get_count
|
|
|
|
Problem: [security]: overflow in nv_z_get_count
|
|
Solution: break out, if count is too large
|
|
|
|
When getting the count for a normal z command, it may overflow for large
|
|
counts given. So verify, that we can safely store the result in a long.
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/normal.c | 7 +++++++
|
|
src/testdir/test_normal.vim | 5 +++++
|
|
2 files changed, 12 insertions(+)
|
|
|
|
diff --git a/src/normal.c b/src/normal.c
|
|
index a06d61e6fce7d..16b4b45069329 100644
|
|
--- a/src/normal.c
|
|
+++ b/src/normal.c
|
|
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
|
|
if (nchar == K_DEL || nchar == K_KDEL)
|
|
n /= 10;
|
|
else if (VIM_ISDIGIT(nchar))
|
|
+ {
|
|
+ if (n > LONG_MAX / 10)
|
|
+ {
|
|
+ clearopbeep(cap->oap);
|
|
+ break;
|
|
+ }
|
|
n = n * 10 + (nchar - '0');
|
|
+ }
|
|
else if (nchar == CAR)
|
|
{
|
|
#ifdef FEAT_GUI
|
|
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
|
|
index c7d37f066f208..6b889f46b3dd7 100644
|
|
--- a/src/testdir/test_normal.vim
|
|
+++ b/src/testdir/test_normal.vim
|
|
@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
|
|
bw!
|
|
endfunc
|
|
|
|
+func Test_normal34_zet_large()
|
|
+ " shouldn't cause overflow
|
|
+ norm! z9765405999999999999
|
|
+endfunc
|
|
+
|
|
" vim: shiftwidth=2 sts=2 expandtab
|