From ac5856b3f515a39f5047f47d9c675a6206ce19bf Mon Sep 17 00:00:00 2001 From: Sean Dewar Date: Tue, 15 Feb 2022 18:04:22 +0000 Subject: [PATCH] vim-patch:8.2.3492: crash when pasting too many times Problem: Crash when pasting too many times. Solution: Limit the size to what fits in an int. (closes vim/vim#8962) https://github.com/vim/vim/commit/eeed1c7ae090c17f4df51cf97b2a9e4d8b4f4dc7 Note that this overflow check pretty bad. It also doesn't work well on Windows (where sizeof(int) == sizeof(long)). This is all temporary; everything here is rewritten in future patches anyway. e_resulting_text_too_long was already cherry-picked. totlen is size_t in Nvim, but is int in Vim. This means we'll need some casts. We could technically adjust the logic in do_put to use the entire range of size_t in stuff like totlen, but there's not much gain, and it's much easier to just port the patch like Vim as was done before (also allows us to use the same tests). --- src/nvim/ops.c | 9 +++++++-- src/nvim/testdir/test_put.vim | 7 +++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/nvim/ops.c b/src/nvim/ops.c index 18facef13c..e6e617a419 100644 --- a/src/nvim/ops.c +++ b/src/nvim/ops.c @@ -3431,8 +3431,13 @@ void do_put(int regname, yankreg_T *reg, int dir, long count, int flags) } do { - totlen = (size_t)(count * yanklen); - if (totlen > 0) { + const long multlen = count * yanklen; + + totlen = (size_t)(int)multlen; + if (totlen != (size_t)multlen) { + emsg(_(e_resulting_text_too_long)); + break; + } else if (totlen > 0) { oldp = ml_get(lnum); if (lnum > start_lnum) { pos_T pos = { diff --git a/src/nvim/testdir/test_put.vim b/src/nvim/testdir/test_put.vim index ed76709a56..cef2cf0dd7 100644 --- a/src/nvim/testdir/test_put.vim +++ b/src/nvim/testdir/test_put.vim @@ -138,6 +138,13 @@ func Test_p_with_count_leaves_mark_at_end() bwipe! endfunc +func Test_very_larg_count() + new + let @" = 'x' + call assert_fails('norm 44444444444444p', 'E1240:') + bwipe! +endfunc + func Test_put_above_first_line() new let @" = 'text'