patch 9.0.2109: [security]: overflow in nv_z_get_count
Problem: [security]: overflow in nv_z_get_count
Solution: break out, if count is too large
When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/normal.c b/src/normal.c
index a06d61e..16b4b45 100644
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@
if (nchar == K_DEL || nchar == K_KDEL)
n /= 10;
else if (VIM_ISDIGIT(nchar))
+ {
+ if (n > LONG_MAX / 10)
+ {
+ clearopbeep(cap->oap);
+ break;
+ }
n = n * 10 + (nchar - '0');
+ }
else if (nchar == CAR)
{
#ifdef FEAT_GUI
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index c7d37f0..6b889f4 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -4159,4 +4159,9 @@
bw!
endfunc
+func Test_normal34_zet_large()
+ " shouldn't cause overflow
+ norm! z9765405999999999999
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 16db8f2..2f82473 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 2109,
+/**/
2108,
/**/
2107,