Mercurial > vim
comparison src/ex_docmd.c @ 33780:377ed6ab612c v9.0.2110
patch 9.0.2110: [security]: overflow in ex address parsing
Commit: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Author: Christian Brabandt <cb@256bit.org>
Date: Tue Nov 14 21:33:29 2023 +0100
patch 9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Thu, 16 Nov 2023 22:15:12 +0100 |
parents | e628d7f03758 |
children | 7c30841c60a0 |
comparison
equal
deleted
inserted
replaced
33779:731efc10982a | 33780:377ed6ab612c |
---|---|
4642 #endif | 4642 #endif |
4643 if (i == '-') | 4643 if (i == '-') |
4644 lnum -= n; | 4644 lnum -= n; |
4645 else | 4645 else |
4646 { | 4646 { |
4647 if (n >= LONG_MAX - lnum) | 4647 if (lnum >= 0 && n >= LONG_MAX - lnum) |
4648 { | 4648 { |
4649 emsg(_(e_line_number_out_of_range)); | 4649 emsg(_(e_line_number_out_of_range)); |
4650 goto error; | 4650 goto error; |
4651 } | 4651 } |
4652 lnum += n; | 4652 lnum += n; |