Mercurial > vim
comparison src/cmdhist.c @ 33660:ca0229869b38 v9.0.2068
patch 9.0.2068: [security] overflow in :history
Commit: https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a
Author: Christian Brabandt <cb@256bit.org>
Date: Thu Oct 26 21:29:32 2023 +0200
patch 9.0.2068: [security] overflow in :history
Problem: [security] overflow in :history
Solution: Check that value fits into int
The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.
Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).
It is only a moderate vulnerability, so impact should be low.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Thu, 26 Oct 2023 21:45:05 +0200 |
parents | 6e24001000ed |
children | 1629cc65d78d |
comparison
equal
deleted
inserted
replaced
33659:867fa40377c1 | 33660:ca0229869b38 |
---|---|
740 } | 740 } |
741 else | 741 else |
742 end = arg; | 742 end = arg; |
743 if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) | 743 if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL) |
744 { | 744 { |
745 semsg(_(e_trailing_characters_str), end); | 745 if (*end != NUL) |
746 semsg(_(e_trailing_characters_str), end); | |
747 else | |
748 semsg(_(e_val_too_large), arg); | |
746 return; | 749 return; |
747 } | 750 } |
748 | 751 |
749 for (; !got_int && histype1 <= histype2; ++histype1) | 752 for (; !got_int && histype1 <= histype2; ++histype1) |
750 { | 753 { |