Mercurial > vim

diff src/ex_docmd.c @ 26256:92fbed13ca4d v8.2.3659

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.2.3659: integer overflow with large line number Commit: https://github.com/vim/vim/commit/03725c5795ae5b8c14da4a39cd0ce723c6dd4304 Author: Bram Moolenaar <Bram@vim.org> Date: Wed Nov 24 12:17:53 2021 +0000 patch 8.2.3659: integer overflow with large line number Problem: Integer overflow with large line number. Solution: Check for overflow. (closes https://github.com/vim/vim/issues/9202)
author Bram Moolenaar <Bram@vim.org>
date Wed, 24 Nov 2021 13:30:03 +0100
parents 027c5b4b6f07
children 8b594193dcb6
line wrap: on
line diff
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4380,7 +4380,14 @@ get_address(
 	    if (!VIM_ISDIGIT(*cmd))	// '+' is '+1', but '+0' is not '+1'
 		n = 1;
 	    else
+	    {
 		n = getdigits(&cmd);
+		if (n == MAXLNUM)
+		{
+		    emsg(_(e_line_number_out_of_range));
+		    goto error;
+		}
+	    }
 
 	    if (addr_type == ADDR_TABS_RELATIVE)
 	    {
@@ -4398,13 +4405,20 @@ get_address(
 		// Relative line addressing, need to adjust for folded lines
 		// now, but only do it after the first address.
 		if (addr_type == ADDR_LINES && (i == '-' || i == '+')
-			&& address_count >= 2)
+							 && address_count >= 2)
 		    (void)hasFolding(lnum, NULL, &lnum);
 #endif
 		if (i == '-')
 		    lnum -= n;
 		else
+		{
+		    if (n >= LONG_MAX - lnum)
+		    {
+			emsg(_(e_line_number_out_of_range));
+			goto error;
+		    }
 		    lnum += n;
+		}
 	    }
 	}
     } while (*cmd == '/' || *cmd == '?');