Mercurial > vim
changeset 14061:47b2db8a5709 v8.1.0048
patch 8.1.0048: vim_str2nr() does not handle numbers close to the maximum
commit https://github.com/vim/vim/commit/07ccf7ce7fb948fd4d080b817e9fbaea9e721dab
Author: Bram Moolenaar <Bram@vim.org>
Date: Tue Jun 12 17:25:36 2018 +0200
patch 8.1.0048: vim_str2nr() does not handle numbers close to the maximum
Problem: vim_str2nr() does not handle numbers close to the maximum.
Solution: Check for overflow more precisely. (Ken Takata, closes https://github.com/vim/vim/issues/2746)
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Tue, 12 Jun 2018 17:30:06 +0200 |
| parents | 18c62ba45098 |
| children | bc0f80e06d2f |
| files | src/charset.c src/version.c |
| diffstat | 2 files changed, 11 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/charset.c +++ b/src/charset.c @@ -1928,8 +1928,8 @@ vim_str2nr( while ('0' <= *ptr && *ptr <= '1') { /* avoid ubsan error for overflow */ - if (un < UVARNUM_MAX / 2) - un = 2 * un + (unsigned long)(*ptr - '0'); + if (un <= UVARNUM_MAX / 2) + un = 2 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; ++ptr; @@ -1943,7 +1943,7 @@ vim_str2nr( while ('0' <= *ptr && *ptr <= '7') { /* avoid ubsan error for overflow */ - if (un < UVARNUM_MAX / 8) + if (un <= UVARNUM_MAX / 8) un = 8 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; @@ -1960,7 +1960,7 @@ vim_str2nr( while (vim_isxdigit(*ptr)) { /* avoid ubsan error for overflow */ - if (un < UVARNUM_MAX / 16) + if (un <= UVARNUM_MAX / 16) un = 16 * un + (uvarnumber_T)hex2nr(*ptr); else un = UVARNUM_MAX; @@ -1974,9 +1974,12 @@ vim_str2nr( /* decimal */ while (VIM_ISDIGIT(*ptr)) { + uvarnumber_T digit = (uvarnumber_T)(*ptr - '0'); + /* avoid ubsan error for overflow */ - if (un < UVARNUM_MAX / 10) - un = 10 * un + (uvarnumber_T)(*ptr - '0'); + if (un < UVARNUM_MAX / 10 + || (un == UVARNUM_MAX / 10 && digit <= UVARNUM_MAX % 10)) + un = 10 * un + digit; else un = UVARNUM_MAX; ++ptr;