Mercurial > vim
changeset 33780:377ed6ab612c v9.0.2110
patch 9.0.2110: [security]: overflow in ex address parsing
Commit: https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200
Author: Christian Brabandt <cb@256bit.org>
Date: Tue Nov 14 21:33:29 2023 +0100
patch 9.0.2110: [security]: overflow in ex address parsing
Problem: [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
LONG_MAX
[security]: overflow in ex address parsing
When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).
So verify that lnum is actually positive before doing the overflow
check.
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Thu, 16 Nov 2023 22:15:12 +0100 |
parents | 731efc10982a |
children | c9ecc3bdb3e3 |
files | src/ex_docmd.c src/testdir/test_excmd.vim src/version.c |
diffstat | 3 files changed, 7 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -4644,7 +4644,7 @@ get_address( lnum -= n; else { - if (n >= LONG_MAX - lnum) + if (lnum >= 0 && n >= LONG_MAX - lnum) { emsg(_(e_line_number_out_of_range)); goto error;