# HG changeset patch
# User Christian Brabandt <cb@256bit.org>
# Date 1700169311 -3600
# Node ID 06ad070cda83f04c5da18707a842e795bac21633
# Parent  b69a3eea15bdf536cd6883b65c3c9b01f86974f8
patch 9.0.2109: [security]: overflow in nv_z_get_count

Commit: https://github.com/vim/vim/commit/58f9befca1fa172068effad7f2ea5a9d6a7b0cca
Author: Christian Brabandt <cb@256bit.org>
Date:   Tue Nov 14 21:02:30 2023 +0100

    patch 9.0.2109: [security]: overflow in nv_z_get_count

    Problem:  [security]: overflow in nv_z_get_count
    Solution: break out, if count is too large

    When getting the count for a normal z command, it may overflow for large
    counts given. So verify, that we can safely store the result in a long.

    Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/normal.c b/src/normal.c
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar
 	if (nchar == K_DEL || nchar == K_KDEL)
 	    n /= 10;
 	else if (VIM_ISDIGIT(nchar))
+	{
+	    if (n > LONG_MAX / 10)
+	    {
+		clearopbeep(cap->oap);
+		break;
+	    }
 	    n = n * 10 + (nchar - '0');
+	}
 	else if (nchar == CAR)
 	{
 #ifdef FEAT_GUI
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
   bw!
 endfunc
 
+func Test_normal34_zet_large()
+  " shouldn't cause overflow
+  norm! z9765405999999999999
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2109,
+/**/
     2108,
 /**/
     2107,