vim: src/regexp.c comparison

comparison src/regexp.c @ 15959:4feaa025491b v8.1.0985

patch 8.1.0985: crash with large number in regexp commit https://github.com/vim/vim/commit/ab350f89f9646e07aefe16a32ba3ddb847496b4a Author: Bram Moolenaar <Bram@vim.org> Date: Thu Feb 28 06:25:00 2019 +0100 patch 8.1.0985: crash with large number in regexp Problem: Crash with large number in regexp. (Kuang-che Wu) Solution: Check for long becoming negative int. (closes #)

author	Bram Moolenaar <Bram@vim.org>
date	Thu, 28 Feb 2019 06:30:11 +0100
parents	ff00d207cc5e
children	ddd82b1c9e9d

comparison

equal deleted inserted replaced

-:5b3c0bb37ebc
+:4feaa025491b
 				  case 'u': i = gethexchrs(4); break;
 				  case 'U': i = gethexchrs(8); break;
 				  default:  i = -1; break;
 			      }
-			      if (i < 0)
+			      if (i < 0 || i > INT_MAX)
 				  EMSG2_RET_NULL(
 					_("E678: Invalid character after %s%%[dxouU]"),
 					reg_magic == MAGIC_ALL);
 			      if (use_multibytecode(i))
 				  ret = regnode(MULTIBYTECODE);
 	case 'o': nr = getoctchrs(); break;
 	case 'x': nr = gethexchrs(2); break;
 	case 'u': nr = gethexchrs(4); break;
 	case 'U': nr = gethexchrs(8); break;
 }
-if (nr < 0)
+if (nr < 0 || nr > INT_MAX)
 {
 	/* If getting the number fails be backwards compatible: the character
 	 * is a backslash. */
 	--regparse;
 	nr = '\\';

Mercurial > vim

comparison src/regexp.c @ 15959:4feaa025491b v8.1.0985