vim-patch:9.0.2110: [security]: overflow in ex address parsing

Problem: [security]: overflow in ex address parsing Solution: Verify that lnum is positive, before substracting from LONG_MAX [security]: overflow in ex address parsing When parsing relative ex addresses one may unintentionally cause an overflow (because LONG_MAX - lnum will overflow for negative addresses). So verify that lnum is actually positive before doing the overflow check. 060623e4a3 Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-09-29 06:28:35 +00:00 · 2023-11-17 07:14:07 +08:00
parent 016c6fae27
commit 809b05bf27
2 changed files with 5 additions and 1 deletions
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -3552,7 +3552,7 @@ static linenr_T get_address(exarg_T *eap, char **ptr, cmd_addr_T addr_type, int
        if (i == '-') {
          lnum -= n;
        } else {
-          if (n >= INT32_MAX - lnum) {
+          if (lnum >= 0 && n >= INT32_MAX - lnum) {
            *errormsg = _(e_line_number_out_of_range);
            goto error;
          }
--- a/test/old/testdir/test_excmd.vim
+++ b/test/old/testdir/test_excmd.vim
@@ -745,5 +745,9 @@ func Test_write_after_rename()
  bwipe!
 endfunc

+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc

 " vim: shiftwidth=2 sts=2 expandtab