patch 9.0.2068: [security] overflow in :history
Problem: [security] overflow in :history
Solution: Check that value fits into int
The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.
Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).
It is only a moderate vulnerability, so impact should be low.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/cmdhist.c b/src/cmdhist.c
index d398ca7..96a9b3e 100644
--- a/src/cmdhist.c
+++ b/src/cmdhist.c
@@ -742,7 +742,10 @@
end = arg;
if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
{
- semsg(_(e_trailing_characters_str), end);
+ if (*end != NUL)
+ semsg(_(e_trailing_characters_str), end);
+ else
+ semsg(_(e_val_too_large), arg);
return;
}