patch 8.2.3659: integer overflow with large line number Problem: Integer overflow with large line number. Solution: Check for overflow. (closes #9202)

commit: 03725c5795ae5b8c14da4a39cd0ce723c6dd4304 [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Wed Nov 24 12:17:53 2021 +0000
committer: Bram Moolenaar <Bram@vim.org> Wed Nov 24 12:17:53 2021 +0000
tree: 9e95a417b4ae557702cec2d36858cd45d4ef9000
parent: 48608b4a4bfab4b9c0c9199d57b7e876c56db74c [diff] [blame]
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 76511de..d74ef90 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c

@@ -4380,7 +4380,14 @@
 	    if (!VIM_ISDIGIT(*cmd))	// '+' is '+1', but '+0' is not '+1'
 		n = 1;
 	    else
+	    {
 		n = getdigits(&cmd);
+		if (n == MAXLNUM)
+		{
+		    emsg(_(e_line_number_out_of_range));
+		    goto error;
+		}
+	    }
 
 	    if (addr_type == ADDR_TABS_RELATIVE)
 	    {
@@ -4398,13 +4405,20 @@
 		// Relative line addressing, need to adjust for folded lines
 		// now, but only do it after the first address.
 		if (addr_type == ADDR_LINES && (i == '-' || i == '+')
-			&& address_count >= 2)
+							 && address_count >= 2)
 		    (void)hasFolding(lnum, NULL, &lnum);
 #endif
 		if (i == '-')
 		    lnum -= n;
 		else
+		{
+		    if (n >= LONG_MAX - lnum)
+		    {
+			emsg(_(e_line_number_out_of_range));
+			goto error;
+		    }
 		    lnum += n;
+		}
 	    }
 	}
     } while (*cmd == '/' || *cmd == '?');
commit	03725c5795ae5b8c14da4a39cd0ce723c6dd4304	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Wed Nov 24 12:17:53 2021 +0000
committer	Bram Moolenaar <Bram@vim.org>	Wed Nov 24 12:17:53 2021 +0000
tree	9e95a417b4ae557702cec2d36858cd45d4ef9000
parent	48608b4a4bfab4b9c0c9199d57b7e876c56db74c [diff] [blame]