Mercurial > vim

diff src/ex_docmd.c @ 33780:377ed6ab612c v9.0.2110

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2110: [security]: overflow in ex address parsing Commit: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200 Author: Christian Brabandt <cb@256bit.org> Date: Tue Nov 14 21:33:29 2023 +0100 patch 9.0.2110: [security]: overflow in ex address parsing Problem: [security]: overflow in ex address parsing Solution: Verify that lnum is positive, before substracting from LONG_MAX [security]: overflow in ex address parsing When parsing relative ex addresses one may unintentionally cause an overflow (because LONG_MAX - lnum will overflow for negative addresses). So verify that lnum is actually positive before doing the overflow check. Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Thu, 16 Nov 2023 22:15:12 +0100
parents e628d7f03758
children 7c30841c60a0
line wrap: on
line diff
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
 		    lnum -= n;
 		else
 		{
-		    if (n >= LONG_MAX - lnum)
+		    if (lnum >= 0 && n >= LONG_MAX - lnum)
 		    {
 			emsg(_(e_line_number_out_of_range));
 			goto error;