mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-29 06:28:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.0.2109: [security]: overflow in nv_z_get_count

Browse Source 
Problem:  [security]: overflow in nv_z_get_count
Solution: break out, if count is too large

When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.

58f9befca1

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2023-11-17 07:11:56 +08:00
parent a4c111ae69
commit 016c6fae27
2 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/nvim/normal.c
View File

@@ -2695,6 +2695,10 @@ static bool nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
if (nchar == K_DEL || nchar == K_KDEL) { if (nchar == K_DEL || nchar == K_KDEL) {
n /= 10; n /= 10;
} else if (ascii_isdigit(nchar)) { } else if (ascii_isdigit(nchar)) {
if (n > INT_MAX / 10) {
clearopbeep(cap->oap);
break;
}
n = n * 10 + (nchar - '0'); n = n * 10 + (nchar - '0');
} else if (nchar == CAR) { } else if (nchar == CAR) {
win_setheight(n); win_setheight(n);

5
test/old/testdir/test_normal.vim
View File

@@ -4164,4 +4164,9 @@ func Test_normal33_g_cmd_nonblank()
bw! bw!
endfunc endfunc
func Test_normal34_zet_large()
" shouldn't cause overflow
norm! z9765405999999999999
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab