patch 9.0.2110: [security]: overflow in ex address parsing

Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 06837ac92c55c40ab2c40c6c35a715097b156678..01d411a632ccf49e9abdcce721e254ec678bcd45 100644 (file)
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
                    lnum -= n;
                else
                {
-                   if (n >= LONG_MAX - lnum)
+                   if (lnum >= 0 && n >= LONG_MAX - lnum)
                    {
                        emsg(_(e_line_number_out_of_range));
                        goto error;

diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 3637351f636c0214cbc40f679facbbaad5aceca9..47fc26726d5e6ef077e0aae0b8135f9548f50ed1 100644 (file)
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -724,5 +724,9 @@ func Test_write_after_rename()
   bwipe!
 endfunc
 
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 2f82473f59beb343f9ab227c496d93967256ad12..86fa528c8af2d9228fdf7f8bcc991657e1e53bce 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2110,
 /**/
     2109,
 /**/