IntenseFinance/neovim
3
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-02-25 18:55:25 -06:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.0.2111: [security]: overflow in get_number

Browse Source 
Problem:  [security]: overflow in get_number
Solution: Return 0 when the count gets too large

[security]: overflow in get_number

When using the z= command, we may overflow the count with values larger
than MAX_INT. So verify that we do not overflow and in case when an
overflow is detected, simply return 0

73b2d3790c

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq 2023-11-17 07:18:12 +08:00
parent 809b05bf27
commit 9d39ad6318
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/nvim/input.c
View File

@ -180,6 +180,9 @@ int get_number(int colon, int *mouse_used)
ui_cursor_goto(msg_row, msg_col); ui_cursor_goto(msg_row, msg_col);
int c = safe_vgetc(); int c = safe_vgetc();
if (ascii_isdigit(c)) { if (ascii_isdigit(c)) {
if (n > INT_MAX / 10) {
return 0;
}
n = n * 10 + c - '0'; n = n * 10 + c - '0';
msg_putchar(c); msg_putchar(c);
typed++; typed++;

9
test/old/testdir/test_spell.vim
View File

@ -1081,6 +1081,15 @@ func Test_spell_compatible()
call StopVimInTerminal(buf) call StopVimInTerminal(buf)
endfunc endfunc
func Test_z_equal_with_large_count()
split
set spell
call setline(1, "ff")
norm 0z=337203685477580
set nospell
bwipe!
endfunc
let g:test_data_aff1 = [ let g:test_data_aff1 = [
\"SET ISO8859-1", \"SET ISO8859-1",
\"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",