From 9d39ad63182cebe18f89152f2239ff8aeff58308 Mon Sep 17 00:00:00 2001 From: zeertzjq Date: Fri, 17 Nov 2023 07:18:12 +0800 Subject: [PATCH] vim-patch:9.0.2111: [security]: overflow in get_number Problem: [security]: overflow in get_number Solution: Return 0 when the count gets too large [security]: overflow in get_number When using the z= command, we may overflow the count with values larger than MAX_INT. So verify that we do not overflow and in case when an overflow is detected, simply return 0 https://github.com/vim/vim/commit/73b2d3790cad5694fc0ed0db2926e4220c48d968 Co-authored-by: Christian Brabandt --- src/nvim/input.c | 3 +++ test/old/testdir/test_spell.vim | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/src/nvim/input.c b/src/nvim/input.c index 2f5eb49ce0..d6ade22fdb 100644 --- a/src/nvim/input.c +++ b/src/nvim/input.c @@ -180,6 +180,9 @@ int get_number(int colon, int *mouse_used) ui_cursor_goto(msg_row, msg_col); int c = safe_vgetc(); if (ascii_isdigit(c)) { + if (n > INT_MAX / 10) { + return 0; + } n = n * 10 + c - '0'; msg_putchar(c); typed++; diff --git a/test/old/testdir/test_spell.vim b/test/old/testdir/test_spell.vim index b2fc40ee08..a19b64a7de 100644 --- a/test/old/testdir/test_spell.vim +++ b/test/old/testdir/test_spell.vim @@ -1081,6 +1081,15 @@ func Test_spell_compatible() call StopVimInTerminal(buf) endfunc +func Test_z_equal_with_large_count() + split + set spell + call setline(1, "ff") + norm 0z=337203685477580 + set nospell + bwipe! +endfunc + let g:test_data_aff1 = [ \"SET ISO8859-1", \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",