changeset 13192:9bd4151e5aeb v8.0.1470

patch 8.0.1470: integer overflow when using regexp pattern commit https://github.com/vim/vim/commit/2c7b906afb86b986476cfc959732e433b1b4a3b1 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Feb 4 18:22:46 2018 +0100 patch 8.0.1470: integer overflow when using regexp pattern Problem: Integer overflow when using regexp pattern. (geeknik) Solution: Use a long instead of int. (Christian Brabandt, closes https://github.com/vim/vim/issues/2251)
author Christian Brabandt <cb@256bit.org>
date Sun, 04 Feb 2018 18:30:05 +0100
parents da2eafedb3c6
children d42a3b8adbd3
files src/regexp_nfa.c src/version.c
diffstat 2 files changed, 19 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -1600,7 +1600,7 @@ nfa_regatom(void)
 
 		default:
 		    {
-			int	n = 0;
+			long	n = 0;
 			int	cmp = c;
 
 			if (c == '<' || c == '>')
@@ -1628,7 +1628,14 @@ nfa_regatom(void)
 				/* \%{n}v  \%{n}<v  \%{n}>v  */
 				EMIT(cmp == '<' ? NFA_VCOL_LT :
 				     cmp == '>' ? NFA_VCOL_GT : NFA_VCOL);
-			    EMIT(n);
+#if VIM_SIZEOF_INT < VIM_SIZEOF_LONG
+			    if (n > INT_MAX)
+			    {
+				EMSG(_("E951: \\% value too large"));
+				return FAIL;
+			    }
+#endif
+			    EMIT((int)n);
 			    break;
 			}
 			else if (c == '\'' && n == 0)
@@ -3970,7 +3977,7 @@ static int nfa_match;
 #ifdef FEAT_RELTIME
 static proftime_T  *nfa_time_limit;
 static int	   *nfa_timed_out;
-static int         nfa_time_count;
+static int	    nfa_time_count;
 #endif
 
 static void copy_pim(nfa_pim_T *to, nfa_pim_T *from);
@@ -4068,10 +4075,10 @@ copy_ze_off(regsub_T *to, regsub_T *from
 	if (REG_MULTI)
 	{
 	    if (from->list.multi[0].end_lnum >= 0)
-            {
+	    {
 		to->list.multi[0].end_lnum = from->list.multi[0].end_lnum;
 		to->list.multi[0].end_col = from->list.multi[0].end_col;
-            }
+	    }
 	}
 	else
 	{
@@ -5124,9 +5131,9 @@ recursive_regmatch(
     }
 
     if (state->c == NFA_START_INVISIBLE_BEFORE
-        || state->c == NFA_START_INVISIBLE_BEFORE_FIRST
-        || state->c == NFA_START_INVISIBLE_BEFORE_NEG
-        || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST)
+	    || state->c == NFA_START_INVISIBLE_BEFORE_FIRST
+	    || state->c == NFA_START_INVISIBLE_BEFORE_NEG
+	    || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST)
     {
 	/* The recursive match must end at the current position. When "pim" is
 	 * not NULL it specifies the current position. */
@@ -6302,7 +6309,7 @@ nfa_regmatch(
 			}
 		    }
 		    else if (state->c < 0 ? check_char_class(state->c, curc)
-			        : (curc == state->c
+			       : (curc == state->c
 				   || (rex.reg_ic && MB_TOLOWER(curc)
 						    == MB_TOLOWER(state->c))))
 		    {
@@ -6863,7 +6870,7 @@ nfa_regmatch(
 			&& (REG_MULTI
 			    ? (reglnum < nfa_endp->se_u.pos.lnum
 			       || (reglnum == nfa_endp->se_u.pos.lnum
-			           && (int)(reginput - regline)
+				   && (int)(reginput - regline)
 						    < nfa_endp->se_u.pos.col))
 			    : reginput < nfa_endp->se_u.ptr))))
 	{
--- a/src/version.c
+++ b/src/version.c
@@ -772,6 +772,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1470,
+/**/
     1469,
 /**/
     1468,