]> git.ipfire.org Git - thirdparty/vim.git/commitdiff
projects / thirdparty / vim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f06b3f5)
patch 9.2.0023: fix integer overflow in ml_append_int() for long lines v9.2.0023
authorChristian Brabandt <cb@256bit.org>
Wed, 18 Feb 2026 21:49:58 +0000 (21:49 +0000)
committerChristian Brabandt <cb@256bit.org>
Wed, 18 Feb 2026 21:49:58 +0000 (21:49 +0000)
Problem:  ml_append_int() crashes when appending lines near MAXCOL
          length due to signed integer overflow in space_needed
          calculation.
Solution: Change 'space_needed' from int to long to handle the
          'len + INDEX_SIZE' computation without overflow. Update
          db_free comparison casts from (int) to (long) to match.

Note: supported by AI claude

related: #17935
related: #18953
related: #19332

Signed-off-by: Christian Brabandt <cb@256bit.org>
src/memline.c patch | blob | blame | history
src/version.c patch | blob | blame | history

diff --git a/src/memline.c b/src/memline.c
index 427b64924ab81ad9086ea3e8474557ef4ce50e08..604982a901b2d3e4c97982d2ced0a3193e2c7d30 100644 (file)
--- a/src/memline.c
+++ b/src/memline.c
@@ -2941,7 +2941,7 @@ ml_append_int(
     int                line_count;     // number of indexes in current block
     int                offset;
     int                from, to;
-    int                space_needed;   // space needed for new line
+    long       space_needed;   // space needed for new line
     int                page_size;
     int                page_count;
     int                db_idx;         // index for lnum in data block
@@ -3018,7 +3018,7 @@ ml_append_int(
  * - not appending to the last line in the file
  * insert in front of the next block.
  */
-    if ((int)dp->db_free < space_needed && db_idx == line_count - 1
+    if ((long)dp->db_free < space_needed && db_idx == line_count - 1
                                            && lnum < buf->b_ml.ml_line_count)
     {
        /*
@@ -3041,7 +3041,7 @@ ml_append_int(
 
     ++buf->b_ml.ml_line_count;
 
-    if ((int)dp->db_free >= space_needed)      // enough room in data block
+    if ((long)dp->db_free >= space_needed)     // enough room in data block
     {
        /*
         * Insert the new line in an existing data block, or in the data block
@@ -3142,7 +3142,7 @@ ml_append_int(
                data_moved = ((dp->db_index[db_idx]) & DB_INDEX_MASK) -
                                                            dp->db_txt_start;
                total_moved = data_moved + lines_moved * INDEX_SIZE;
-               if ((int)dp->db_free + total_moved >= space_needed)
+               if ((long)dp->db_free + total_moved >= space_needed)
                {
                    in_left = TRUE;     // put new line in left block
                    space_needed = total_moved;
diff --git a/src/version.c b/src/version.c
index b6d79d2cd9de5b3b3c103b0120ad9caed4df40e4..965ce4b9e31ea26a1083708f5676509e38e5ea85 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    23,
 /**/
     22,
 /**/
Mirror of https://github.com/vim/vim.git