mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-29 14:38:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.0.2110: [security]: overflow in ex address parsing

Browse Source 
Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

060623e4a3

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2023-11-17 07:14:07 +08:00
parent 016c6fae27
commit 809b05bf27
2 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/nvim/ex_docmd.c
View File

@@ -3552,7 +3552,7 @@ static linenr_T get_address(exarg_T *eap, char **ptr, cmd_addr_T addr_type, int
if (i == '-') { if (i == '-') {
lnum -= n; lnum -= n;
} else { } else {
if (n >= INT32_MAX - lnum) { if (lnum >= 0 && n >= INT32_MAX - lnum) {
*errormsg = _(e_line_number_out_of_range); *errormsg = _(e_line_number_out_of_range);
goto error; goto error;
} }

4
test/old/testdir/test_excmd.vim
View File

@@ -745,5 +745,9 @@ func Test_write_after_rename()
bwipe! bwipe!
endfunc endfunc
" catch address lines overflow
func Test_ex_address_range_overflow()
call assert_fails(':--+foobar', 'E492:')
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab