patch 9.1.0722: crash with large id in text_prop interface
Problem: crash with large id in text_prop interface
prop_add()/prop_add_list() (cposture)
Solution: Error out if the id is > INT_MAX or <= INT_MIN
fixes: #15637
closes: #15638
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/textprop.c b/src/textprop.c
index fe0c8d2..d16f8ec 100644
--- a/src/textprop.c
+++ b/src/textprop.c
@@ -372,7 +372,16 @@
type_name = dict_get_string(dict, "type", FALSE);
if (dict_has_key(dict, "id"))
- id = dict_get_number(dict, "id");
+ {
+ vimlong_T x;
+ x = dict_get_number(dict, "id");
+ if (x > INT_MAX || x <= INT_MIN)
+ {
+ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+ return;
+ }
+ id = (int)x;
+ }
if (get_bufnr_from_arg(&argvars[0], &buf) == FAIL)
return;
@@ -497,7 +506,16 @@
end_col = 1;
if (dict_has_key(dict, "id"))
- id = dict_get_number(dict, "id");
+ {
+ vimlong_T x;
+ x = dict_get_number(dict, "id");
+ if (x > INT_MAX || x <= INT_MIN)
+ {
+ semsg(_(e_val_too_large), dict_get_string(dict, "id", FALSE));
+ goto theend;
+ }
+ id = (int)x;
+ }
if (dict_has_key(dict, "text"))
{