patch 9.0.2122: [security]: prevent overflow in indenting Commit: https://github.com/vim/vim/commit/3770574e4a70e810add9929973c51f9070c8c851 Author: Christian Brabandt <cb@256bit.org> Date: Wed Nov 22 22:18:35 2023 +0100 patch 9.0.2122: [security]: prevent overflow in indenting Problem: [security]: prevent overflow in indenting Solution: use long long and remove cast to (int) The shiftwidth option values are defined as being long. However, when calculating the actual amount of indent, we cast down to (int), which may cause the shiftwidth value to become negative and later it may even cause Vim to try to allocate a huge amount of memory. We already use long and long long variable types to calculate the indent (and detect possible overflows), so the cast to (int) seems superfluous and can be safely removed. So let's just remove the (int) cast and calculate the indent using longs. Additionally, the 'shiftwidth' option value is also used when determining the actual 'cino' options. There it can again cause another overflow, so make sure it is safe in parse_cino() as well. fixes: #13554 closes: #13555 Signed-off-by: Christian Brabandt <cb@256bit.org>

--- a/src/ops.c
+++ b/src/ops.c
@@ -230,8 +230,8 @@ shift_line(
     int call_changed_bytes)	// call changed_bytes()
 {
     long long	count;
-    int		i, j;
-    int		sw_val = (int)get_sw_value_indent(curbuf);
+    long	i, j;
+    long	sw_val = get_sw_value_indent(curbuf);
 
     count = (long long)get_indent();	// get current indent