Commit: patch 9.0.2111: [security]: overflow in get_number

Thu, 16 Nov 2023 13:15:22 -0800 

patch 9.0.2111: [security]: overflow in get_number

Commit: 
https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968
Author: Christian Brabandt <c...@256bit.org>
Date:   Tue Nov 14 21:58:26 2023 +0100

    patch 9.0.2111: [security]: overflow in get_number
    
    Problem:  [security]: overflow in get_number
    Solution: Return 0 when the count gets too large
    
    [security]: overflow in get_number
    
    When using the z= command, we may overflow the count with values larger
    than MAX_INT. So verify that we do not overflow and in case when an
    overflow is detected, simply return 0
    
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/misc1.c b/src/misc1.c
index 5b008c614..5f9828ebe 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -975,6 +975,8 @@ get_number(
        c = safe_vgetc();
        if (VIM_ISDIGIT(c))
        {
+           if (n > INT_MAX / 10)
+               return 0;
            n = n * 10 + c - '0';
            msg_putchar(c);
            ++typed;
diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim
index be0bc5581..1ddcd83d5 100644
--- a/src/testdir/test_spell.vim
+++ b/src/testdir/test_spell.vim
@@ -1077,6 +1077,15 @@ func Test_spell_compatible()
   call StopVimInTerminal(buf)
 endfunc
 
+func Test_z_equal_with_large_count()
+  split
+  set spell
+  call setline(1, "ff")
+  norm 0z=337203685477580
+  set nospell
+  bwipe!
+endfunc
+
 let g:test_data_aff1 = [
       \"SET ISO8859-1",
       \"TRY 
esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
diff --git a/src/version.c b/src/version.c
index 86fa528c8..66aff800b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2111,
 /**/
     2110,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/vim_dev/E1r3jhi-00DAHp-3O%40256bit.org.

Raspunde prin e-mail lui