patch 9.0.2111: [security]: overflow in get_number

Problem: [security]: overflow in get_number Solution: Return 0 when the count gets too large [security]: overflow in get_number When using the z= command, we may overflow the count with values larger than MAX_INT. So verify that we do not overflow and in case when an overflow is detected, simply return 0 Signed-off-by: Christian Brabandt <cb@256bit.org>
vim · Nov 16, 2023 · 73b2d37 · 73b2d37
1 parent 060623e
commit 73b2d37
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/src/misc1.c b/src/misc1.c
@@ -975,6 +975,8 @@ get_number(
 	c = safe_vgetc();
 	if (VIM_ISDIGIT(c))
 	{
+	    if (n > INT_MAX / 10)
+		return 0;
 	    n = n * 10 + c - '0';
 	    msg_putchar(c);
 	    ++typed;

diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
@@ -1077,6 +1077,15 @@ func Test_spell_compatible()
   call StopVimInTerminal(buf)
 endfunc
 
+func Test_z_equal_with_large_count()
+  split
+  set spell
+  call setline(1, "ff")
+  norm 0z=337203685477580
+  set nospell
+  bwipe!
+endfunc
+
 let g:test_data_aff1 = [
       \"SET ISO8859-1",
       \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",

diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2111,
 /**/
     2110,
 /**/