# HG changeset patch
# User Christian Brabandt <cb@256bit.org>
# Date 1491141605 -7200
# Node ID ef32a5c74515f8ecd83facd96fee5683aab5237e
# Parent  e3ef35af5a08f79ca20417452861930a90c8bdbb
patch 8.0.0537: illegal memory access with :z and large count

commit https://github.com/vim/vim/commit/fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9
Author: Bram Moolenaar <Bram@vim.org>
Date:   Sun Apr 2 15:45:17 2017 +0200

    patch 8.0.0537: illegal memory access with :z and large count

    Problem:    Illegal memory access with :z and large count.
    Solution:   Check for number overflow, using long instead of int. (Dominique
                Pelle, closes #1612)

diff --git a/src/Makefile b/src/Makefile
--- a/src/Makefile
+++ b/src/Makefile
@@ -2122,10 +2122,10 @@ test_arglist \
 	test_delete \
 	test_diffmode \
 	test_digraph \
-	test_functions \
 	test_display \
 	test_edit \
 	test_ex_undo \
+	test_ex_z \
 	test_execute_func \
 	test_expand \
 	test_expand_dllpath \
@@ -2142,6 +2142,7 @@ test_arglist \
 	test_fnameescape \
 	test_fnamemodify \
 	test_fold \
+	test_functions \
 	test_ga \
 	test_gf \
 	test_glob2regpat \
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap)
 ex_z(exarg_T *eap)
 {
     char_u	*x;
-    int		bigness;
+    long	bigness;
     char_u	*kind;
     int		minus = 0;
     linenr_T	start, end, curs, i;
@@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap)
 	}
 	else
 	{
-	    bigness = atoi((char *)x);
+	    bigness = atol((char *)x);
+
+	    /* bigness could be < 0 if atol(x) overflows. */
+	    if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
+		bigness = 2 * curbuf->b_ml.ml_line_count;
+
 	    p_window = bigness;
 	    if (*kind == '=')
 		bigness += 2;
diff --git a/src/testdir/test_alot.vim b/src/testdir/test_alot.vim
--- a/src/testdir/test_alot.vim
+++ b/src/testdir/test_alot.vim
@@ -8,10 +8,11 @@ source test_changedtick.vim
 source test_cursor_func.vim
 source test_delete.vim
 source test_ex_undo.vim
+source test_ex_z.vim
 source test_execute_func.vim
 source test_expand.vim
+source test_expand_dllpath.vim
 source test_expr.vim
-source test_expand_dllpath.vim
 source test_feedkeys.vim
 source test_file_perm.vim
 source test_fileformat.vim
@@ -30,9 +31,9 @@ source test_join.vim
 source test_jumps.vim
 source test_lambda.vim
 source test_lispwords.vim
+source test_mapping.vim
 source test_match.vim
 source test_menu.vim
-source test_mapping.vim
 source test_messages.vim
 source test_partial.vim
 source test_popup.vim
diff --git a/src/testdir/test_ex_z.vim b/src/testdir/test_ex_z.vim
new file mode 100644
--- /dev/null
+++ b/src/testdir/test_ex_z.vim
@@ -0,0 +1,78 @@
+" Test :z
+
+func Test_z()
+  call setline(1, range(1, 100))
+
+  let a = execute('20z3')
+  call assert_equal("\n20\n21\n22", a)
+  call assert_equal(22, line('.'))
+  " 'window' should be set to the {count} value.
+  call assert_equal(3, &window)
+
+  " If there is only one window, then twice the amount of 'scroll' is used.
+  set scroll=2
+  let a = execute('20z')
+  call assert_equal("\n20\n21\n22\n23", a)
+  call assert_equal(23, line('.'))
+
+  let a = execute('20z+3')
+  " FIXME: I would expect the same result as '20z3' but it
+  " gives "\n21\n22\n23" instead. Bug in Vim or in ":help :z"?
+  "call assert_equal("\n20\n21\n22", a)
+  "call assert_equal(22, line('.'))
+
+  let a = execute('20z-3')
+  call assert_equal("\n18\n19\n20", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z=3')
+  call assert_match("^\n18\n19\n-\\+\n20\n-\\+\n21\n22$", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z^3')
+  call assert_equal("\n14\n15\n16\n17", a)
+  call assert_equal(17, line('.'))
+
+  let a = execute('20z.3')
+  call assert_equal("\n19\n20\n21", a)
+  call assert_equal(21, line('.'))
+
+  let a = execute('20z#3')
+  call assert_equal("\n 20 20\n 21 21\n 22 22", a)
+  call assert_equal(22, line('.'))
+
+  let a = execute('20z#-3')
+  call assert_equal("\n 18 18\n 19 19\n 20 20", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z#=3')
+  call assert_match("^\n 18 18\n 19 19\n-\\+\n 20 20\n-\\+\n 21 21\n 22 22$", a)
+  call assert_equal(20, line('.'))
+
+  " Test with {count} bigger than the number of lines in buffer.
+  let a = execute('20z1000')
+  call assert_match("^\n20\n21\n.*\n99\n100$", a)
+  call assert_equal(100, line('.'))
+
+  let a = execute('20z-1000')
+  call assert_match("^\n1\n2\n.*\n19\n20$", a)
+  call assert_equal(20, line('.'))
+
+  let a = execute('20z=1000')
+  call assert_match("^\n1\n.*\n-\\+\n20\n-\\\+\n.*\n100$", a)
+  call assert_equal(20, line('.'))
+
+  call assert_fails('20z=a', 'E144:')
+
+  set window& scroll&
+  bw!
+endfunc
+
+func Test_z_bug()
+  " This used to access invalid memory as a result of an integer overflow
+  " and freeze vim.
+  normal ox
+  normal Heat
+  z777777776666666
+  ')
+endfunc
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -765,6 +765,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    537,
+/**/
     536,
 /**/
     535,