patch 8.0.0537: illegal memory access with :z and large count Problem: Illegal memory access with :z and large count. Solution: Check for number overflow, using long instead of int. (Dominique Pelle, closes #1612)

commit: fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9 [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Sun Apr 02 15:45:17 2017 +0200
committer: Bram Moolenaar <Bram@vim.org> Sun Apr 02 15:45:17 2017 +0200
tree: ae65d2686b40af1da994593c849770d973651095
parent: 69f40be64555d50f603c6f22722cf762aaa6bbc1 [diff] [blame]
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 6940e55..4b0bdef 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c

@@ -4564,7 +4564,7 @@
 ex_z(exarg_T *eap)
 {
     char_u	*x;
-    int		bigness;
+    long	bigness;
     char_u	*kind;
     int		minus = 0;
     linenr_T	start, end, curs, i;
@@ -4601,7 +4601,12 @@
 	}
 	else
 	{
-	    bigness = atoi((char *)x);
+	    bigness = atol((char *)x);
+
+	    /* bigness could be < 0 if atol(x) overflows. */
+	    if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
+		bigness = 2 * curbuf->b_ml.ml_line_count;
+
 	    p_window = bigness;
 	    if (*kind == '=')
 		bigness += 2;
commit	fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Sun Apr 02 15:45:17 2017 +0200
committer	Bram Moolenaar <Bram@vim.org>	Sun Apr 02 15:45:17 2017 +0200
tree	ae65d2686b40af1da994593c849770d973651095
parent	69f40be64555d50f603c6f22722cf762aaa6bbc1 [diff] [blame]