Mercurial > vim
diff src/ex_cmds.c @ 11303:ef32a5c74515 v8.0.0537
patch 8.0.0537: illegal memory access with :z and large count
commit https://github.com/vim/vim/commit/fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Apr 2 15:45:17 2017 +0200
patch 8.0.0537: illegal memory access with :z and large count
Problem: Illegal memory access with :z and large count.
Solution: Check for number overflow, using long instead of int. (Dominique
Pelle, closes #1612)
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sun, 02 Apr 2017 16:00:05 +0200 |
parents | 918942a3b0ef |
children | 1074f58e1673 |
line wrap: on
line diff
--- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap) ex_z(exarg_T *eap) { char_u *x; - int bigness; + long bigness; char_u *kind; int minus = 0; linenr_T start, end, curs, i; @@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap) } else { - bigness = atoi((char *)x); + bigness = atol((char *)x); + + /* bigness could be < 0 if atol(x) overflows. */ + if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0) + bigness = 2 * curbuf->b_ml.ml_line_count; + p_window = bigness; if (*kind == '=') bigness += 2;