Mercurial > vim

diff src/ex_cmds.c @ 11303:ef32a5c74515 v8.0.0537

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.0537: illegal memory access with :z and large count commit https://github.com/vim/vim/commit/fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Apr 2 15:45:17 2017 +0200 patch 8.0.0537: illegal memory access with :z and large count Problem: Illegal memory access with :z and large count. Solution: Check for number overflow, using long instead of int. (Dominique Pelle, closes #1612)
author Christian Brabandt <cb@256bit.org>
date Sun, 02 Apr 2017 16:00:05 +0200
parents 918942a3b0ef
children 1074f58e1673
line wrap: on
line diff
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap)
 ex_z(exarg_T *eap)
 {
     char_u	*x;
-    int		bigness;
+    long	bigness;
     char_u	*kind;
     int		minus = 0;
     linenr_T	start, end, curs, i;
@@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap)
 	}
 	else
 	{
-	    bigness = atoi((char *)x);
+	    bigness = atol((char *)x);
+
+	    /* bigness could be < 0 if atol(x) overflows. */
+	    if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
+		bigness = 2 * curbuf->b_ml.ml_line_count;
+
 	    p_window = bigness;
 	    if (*kind == '=')
 		bigness += 2;