patch 9.0.2108: [security]: overflow with count for :s command Problem: [security]: overflow with count for :s command Solution: Abort the :s command if the count is too large If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Adds a test with INT_MAX as count and verify it correctly fails. It seems the return value on Windows using mingw compiler wraps around, so the initial test using :s/./b/9999999999999999999999999990 doesn't fail there, since the count is wrapping around several times and finally is no longer larger than 2147483647. So let's just use 2147483647 in the test, which hopefully will always cause a failure Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: ac63787734fda2e294e477af52b3bd601517fa78 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Tue Nov 14 20:45:48 2023 +0100
committer: Christian Brabandt <cb@256bit.org> Thu Nov 16 22:04:37 2023 +0100
tree: 79a2df1e1b876a0920d47585343519aa4f8e3b9b
parent: cb0b99f0672d8446585d26e998343dceca17d1ce [diff] [blame]
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 3544092..c5f912e 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c

@@ -3993,6 +3993,13 @@
 	    emsg(_(e_positive_count_required));
 	    return;
 	}
+	else if (i >= INT_MAX)
+	{
+	    char	buf[20];
+	    vim_snprintf(buf, sizeof(buf), "%ld", i);
+	    semsg(_(e_val_too_large), buf);
+	    return;
+	}
 	eap->line1 = eap->line2;
 	eap->line2 += i - 1;
 	if (eap->line2 > curbuf->b_ml.ml_line_count)
commit	ac63787734fda2e294e477af52b3bd601517fa78	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Tue Nov 14 20:45:48 2023 +0100
committer	Christian Brabandt <cb@256bit.org>	Thu Nov 16 22:04:37 2023 +0100
tree	79a2df1e1b876a0920d47585343519aa4f8e3b9b
parent	cb0b99f0672d8446585d26e998343dceca17d1ce [diff] [blame]