Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / 060623e4a3bc72b011e7cd92bedb3bfb64e06200^! / . / src
commit060623e4a3bc72b011e7cd92bedb3bfb64e06200[log] [tgz]
authorChristian Brabandt <cb@256bit.org>Tue Nov 14 21:33:29 2023 +0100
committerChristian Brabandt <cb@256bit.org>Thu Nov 16 22:04:38 2023 +0100
tree10d957de477543bcf11d3973dabc0a62f1981520
parent58f9befca1fa172068effad7f2ea5a9d6a7b0cca [diff]
patch 9.0.2110: [security]: overflow in ex address parsing

Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 06837ac..01d411a 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c

@@ -4644,7 +4644,7 @@
 		    lnum -= n;
 		else
 		{
-		    if (n >= LONG_MAX - lnum)
+		    if (lnum >= 0 && n >= LONG_MAX - lnum)
 		    {
 			emsg(_(e_line_number_out_of_range));
 			goto error;

diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 3637351..47fc267 100644
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim

@@ -724,5 +724,9 @@
   bwipe!
 endfunc
 
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 2f82473..86fa528 100644
--- a/src/version.c
+++ b/src/version.c

@@ -705,6 +705,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2110,
+/**/
     2109,
 /**/
     2108,