mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-07 11:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

modeline: Handle version number overflow. #5450

Browse Source 
Closes #5449

A file containing the string "vim" followed by a very large number in a modeline
location will trigger an overflow in getdigits() which is called by
chk_modeline() when trying to parse the version number.

Add getdigits_safe(), which does not assert overflows, but reports them to the
caller.
This commit is contained in:
Florian Larysch
2016-10-08 17:55:55 +02:00
committed by Justin M. Keyes
parent 0f32088ea2
commit 2a6c5bb0c4
4 changed files with 55 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/nvim/buffer.c
View File

@@ -4509,7 +4509,7 @@ chk_modeline (
char_u *e;
char_u *linecopy; /* local copy of any modeline found */
int prev;
int vers;
intmax_t vers;
int end;
int retval = OK;
char_u *save_sourcing_name;
@@ -4528,7 +4528,10 @@ chk_modeline (
e = s + 4;
else
e = s + 3;
vers = getdigits_int(&e);
if (getdigits_safe(&e, &vers) != OK) {
continue;
}
if (*e == ':'
&& (s[0] != 'V'
|| STRNCMP(skipwhite(e + 1), "set", 3) == 0)
@@ -4536,8 +4539,9 @@ chk_modeline (
|| (VIM_VERSION_100 >= vers && isdigit(s[3]))
|| (VIM_VERSION_100 < vers && s[3] == '<')
|| (VIM_VERSION_100 > vers && s[3] == '>')
|| (VIM_VERSION_100 == vers && s[3] == '=')))
|| (VIM_VERSION_100 == vers && s[3] == '='))) {
break;
}
}
}
prev = *s;