# HG changeset patch # User Bram Moolenaar # Date 1637757003 -3600 # Node ID 92fbed13ca4da6402bf7892c0abdd3cee6df043a # Parent c69a537bd421e5e92466f49a7c32135249c6b927 patch 8.2.3659: integer overflow with large line number Commit: https://github.com/vim/vim/commit/03725c5795ae5b8c14da4a39cd0ce723c6dd4304 Author: Bram Moolenaar Date: Wed Nov 24 12:17:53 2021 +0000 patch 8.2.3659: integer overflow with large line number Problem: Integer overflow with large line number. Solution: Check for overflow. (closes https://github.com/vim/vim/issues/9202) diff --git a/src/errors.h b/src/errors.h --- a/src/errors.h +++ b/src/errors.h @@ -688,3 +688,5 @@ EXTERN char e_cannot_expand_sfile_in_vim INIT(= N_("E1245: Cannot expand in a Vim9 function")); EXTERN char e_cannot_find_variable_to_unlock_str[] INIT(= N_("E1246: Cannot find variable to (un)lock: %s")); +EXTERN char e_line_number_out_of_range[] + INIT(= N_("E1247: Line number out of range")); diff --git a/src/ex_docmd.c b/src/ex_docmd.c --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -4380,7 +4380,14 @@ get_address( if (!VIM_ISDIGIT(*cmd)) // '+' is '+1', but '+0' is not '+1' n = 1; else + { n = getdigits(&cmd); + if (n == MAXLNUM) + { + emsg(_(e_line_number_out_of_range)); + goto error; + } + } if (addr_type == ADDR_TABS_RELATIVE) { @@ -4398,13 +4405,20 @@ get_address( // Relative line addressing, need to adjust for folded lines // now, but only do it after the first address. if (addr_type == ADDR_LINES && (i == '-' || i == '+') - && address_count >= 2) + && address_count >= 2) (void)hasFolding(lnum, NULL, &lnum); #endif if (i == '-') lnum -= n; else + { + if (n >= LONG_MAX - lnum) + { + emsg(_(e_line_number_out_of_range)); + goto error; + } lnum += n; + } } } } while (*cmd == '/' || *cmd == '?'); diff --git a/src/normal.c b/src/normal.c --- a/src/normal.c +++ b/src/normal.c @@ -630,10 +630,14 @@ getcount: del_from_showcmd(4); // delete the digit and ~@% #endif } + else if (ca.count0 >= 999999999L) + { + ca.count0 = 999999999L; + } else + { ca.count0 = ca.count0 * 10 + (c - '0'); - if (ca.count0 < 0) // overflow - ca.count0 = 999999999L; + } #ifdef FEAT_EVAL // Set v:count here, when called from main() and not a stuffed // command, so that v:count can be used in an expression mapping @@ -700,11 +704,14 @@ getcount: * multiplied. */ if (ca.count0) - ca.count0 *= ca.opcount; + { + if (ca.opcount >= 999999999L / ca.count0) + ca.count0 = 999999999L; + else + ca.count0 *= ca.opcount; + } else ca.count0 = ca.opcount; - if (ca.count0 < 0) // overflow - ca.count0 = 999999999L; } /* diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim --- a/src/testdir/test_excmd.vim +++ b/src/testdir/test_excmd.vim @@ -655,4 +655,16 @@ func Test_not_break_expression_register( call assert_equal('1+1', getreg('=', 1)) endfunc +func Test_address_line_overflow() + if v:sizeoflong < 8 + throw 'Skipped: only works with 64 bit long ints' + endif + new + call setline(1, 'text') + call assert_fails('|.44444444444444444444444', 'E1247:') + call assert_fails('|.9223372036854775806', 'E1247:') + bwipe! +endfunc + + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim --- a/src/testdir/test_normal.vim +++ b/src/testdir/test_normal.vim @@ -3519,4 +3519,25 @@ func Test_normal_gj_on_extra_wide_char() bw! endfunc +func Test_normal_count_out_of_range() + new + call setline(1, 'text') + normal 44444444444| + call assert_equal(999999999, v:count) + normal 444444444444| + call assert_equal(999999999, v:count) + normal 4444444444444| + call assert_equal(999999999, v:count) + normal 4444444444444444444| + call assert_equal(999999999, v:count) + + normal 9y99999999| + call assert_equal(899999991, v:count) + normal 10y99999999| + call assert_equal(999999999, v:count) + normal 44444444444y44444444444| + call assert_equal(999999999, v:count) + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -758,6 +758,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 3659, +/**/ 3658, /**/ 3657,