patch 9.0.2068: [security] overflow in :history Problem: [security] overflow in :history Solution: Check that value fits into int The get_list_range() function, used to parse numbers for the :history and :clist command internally uses long variables to store the numbers. However function arguments are integer pointers, which can then overflow. Check that the return value from the vim_str2nr() function is not larger than INT_MAX and if yes, bail out with an error. I guess nobody uses a cmdline/clist history that needs so many entries... (famous last words). It is only a moderate vulnerability, so impact should be low. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 9198c1f2b1ddecde22af918541e0de2a32f0f45a [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Thu Oct 26 21:29:32 2023 +0200
committer: Christian Brabandt <cb@256bit.org> Thu Oct 26 21:29:32 2023 +0200
tree: 2af602f979b00fea18542cd679191c320009f9b2
parent: 5f5131d775bf9966976e39aa38b070036cbfe969 [diff] [blame]
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
index bb6d671..482328a 100644
--- a/src/testdir/test_history.vim
+++ b/src/testdir/test_history.vim

@@ -254,4 +254,12 @@
   set key& bs& ts&
 endfunc
 
+" The following used to overflow and causing an use-after-free
+func Test_history_max_val()
+
+  set history=10
+  call assert_fails(':history 2147483648', 'E1510:')
+  set history&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
commit	9198c1f2b1ddecde22af918541e0de2a32f0f45a	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Thu Oct 26 21:29:32 2023 +0200
committer	Christian Brabandt <cb@256bit.org>	Thu Oct 26 21:29:32 2023 +0200
tree	2af602f979b00fea18542cd679191c320009f9b2
parent	5f5131d775bf9966976e39aa38b070036cbfe969 [diff] [blame]