patch 9.0.2109: [security]: overflow in nv_z_get_count

Problem:  [security]: overflow in nv_z_get_count
Solution: break out, if count is too large

When getting the count for a normal z command, it may overflow for large
counts given. So verify, that we can safely store the result in a long.

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/normal.c b/src/normal.c
index a06d61e6fce7d16d12646ed0ac040ce06ad0c3a9..16b4b45069329f533de21d3833638c29d564d865 100644 (file)
--- a/src/normal.c
+++ b/src/normal.c
@@ -2562,7 +2562,14 @@ nv_z_get_count(cmdarg_T *cap, int *nchar_arg)
        if (nchar == K_DEL || nchar == K_KDEL)
            n /= 10;
        else if (VIM_ISDIGIT(nchar))
+       {
+           if (n > LONG_MAX / 10)
+           {
+               clearopbeep(cap->oap);
+               break;
+           }
            n = n * 10 + (nchar - '0');
+       }
        else if (nchar == CAR)
        {
 #ifdef FEAT_GUI

diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index c7d37f066f20883aef1e109ddc6e245a8b8d5bde..6b889f46b3dd7cf64064afdffc8a9982cd3229fc 100644 (file)
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -4159,4 +4159,9 @@ func Test_normal33_g_cmd_nonblank()
   bw!
 endfunc
 
+func Test_normal34_zet_large()
+  " shouldn't cause overflow
+  norm! z9765405999999999999
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 16db8f23128906610677fc6ca950621eb046acc7..2f82473f59beb343f9ab227c496d93967256ad12 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2109,
 /**/
     2108,
 /**/