From 7f2e3527007580e6885b0fd6253aefba13e74a60 Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Sat, 14 Jul 2018 18:03:20 -0400 Subject: [PATCH] vim-patch:8.0.0879: crash when shifting with huge number Problem: Crash when shifting with huge number. Solution: Check for overflow. (Dominique Pelle, closes vim/vim#1945) https://github.com/vim/vim/commit/bae5a17a738d1a3b5c51d9aa5d99e228d3911955 --- src/nvim/ops.c | 9 ++++++--- src/nvim/testdir/test_visual.vim | 8 ++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/nvim/ops.c b/src/nvim/ops.c index 4fb1a1ea9d..d0317c84f6 100644 --- a/src/nvim/ops.c +++ b/src/nvim/ops.c @@ -312,7 +312,6 @@ static void shift_block(oparg_T *oap, int amount) { int left = (oap->op_type == OP_LSHIFT); int oldstate = State; - int total; char_u *newp, *oldp; int oldcol = curwin->w_cursor.col; int p_sw = get_sw_value(curbuf); @@ -331,8 +330,12 @@ static void shift_block(oparg_T *oap, int amount) if (bd.is_short) return; - /* total is number of screen columns to be inserted/removed */ - total = amount * p_sw; + // total is number of screen columns to be inserted/removed + int total = (int)((unsigned)amount * (unsigned)p_sw); + if ((total / p_sw) != amount) { + return; // multiplication overflow + } + oldp = get_cursor_line_ptr(); if (!left) { diff --git a/src/nvim/testdir/test_visual.vim b/src/nvim/testdir/test_visual.vim index 0be6ebd02d..6520666d45 100644 --- a/src/nvim/testdir/test_visual.vim +++ b/src/nvim/testdir/test_visual.vim @@ -17,6 +17,14 @@ func Test_block_shift_multibyte() q! endfunc +func Test_block_shift_overflow() + " This used to cause a multiplication overflow followed by a crash. + new + normal ii + exe "normal \876543210>" + q! +endfunc + func Test_Visual_ctrl_o() new call setline(1, ['one', 'two', 'three'])