git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Tue, 14 Nov 2023 21:42:59 +0000 (22:42 +0100)
committer	Christian Brabandt <cb@256bit.org>
	Thu, 16 Nov 2023 21:04:38 +0000 (22:04 +0100)
commit	6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e
tree	db7b6854a3ba228733800239540e12dabe6f69e4	tree \| snapshot
parent	73b2d3790cad5694fc0ed0db2926e4220c48d968	commit \| diff

patch 9.0.2112: [security]: overflow in shift_line

Problem: [security]: overflow in shift_line
Solution: allow a max indent of INT_MAX

[security]: overflow in shift_line

When shifting lines in operator pending mode and using a very large
value, we may overflow the size of integer. Fix this by using a long
variable, testing if the result would be larger than INT_MAX and if so,
indent by INT_MAX value.

Special case: We cannot use long here, since on 32bit architectures (or
on Windows?), it typically cannot take larger values than a plain int,
so we have to use long long count, decide whether the resulting
multiplication of the shiftwidth value * amount is larger than INT_MAX
and if so, we will store INT_MAX as possible larges value in the long
long count variable.

Then we can safely cast it back to int when calling the functions to set
the indent (set_indent() or change_indent()). So this should be safe.

Add a test that when using a huge value in operator pending mode for
shifting, we will shift by INT_MAX

closes: #13535

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/ops.c		diff \| blob \| blame \| history
src/testdir/test_indent.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history