Mercurial > vim

comparison src/cmdhist.c @ 33660:ca0229869b38 v9.0.2068

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2068: [security] overflow in :history Commit: https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a Author: Christian Brabandt <cb@256bit.org> Date: Thu Oct 26 21:29:32 2023 +0200 patch 9.0.2068: [security] overflow in :history Problem: [security] overflow in :history Solution: Check that value fits into int The get_list_range() function, used to parse numbers for the :history and :clist command internally uses long variables to store the numbers. However function arguments are integer pointers, which can then overflow. Check that the return value from the vim_str2nr() function is not larger than INT_MAX and if yes, bail out with an error. I guess nobody uses a cmdline/clist history that needs so many entries... (famous last words). It is only a moderate vulnerability, so impact should be low. Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Thu, 26 Oct 2023 21:45:05 +0200
parents 6e24001000ed
children 1629cc65d78d
comparison
equal deleted inserted replaced
33659:867fa40377c1 33660:ca0229869b38
740 } 740 }
741 else 741 else
742 end = arg; 742 end = arg;
743 if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) 743 if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
744 { 744 {
745 semsg(_(e_trailing_characters_str), end); 745 if (*end != NUL)
746 semsg(_(e_trailing_characters_str), end);
747 else
748 semsg(_(e_val_too_large), arg);
746 return; 749 return;
747 } 750 }
748 751
749 for (; !got_int && histype1 <= histype2; ++histype1) 752 for (; !got_int && histype1 <= histype2; ++histype1)
750 { 753 {