git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Wed, 22 Nov 2023 21:18:35 +0000 (22:18 +0100)
committer	Christian Brabandt <cb@256bit.org>
	Wed, 22 Nov 2023 21:18:35 +0000 (22:18 +0100)
commit	3770574e4a70e810add9929973c51f9070c8c851
tree	4c07fbe0e332d8f4150c075ce96b5655da9fb625	tree
parent	26c11c56888d01e298cd8044caf860f3c26f57bb	commit \| diff

patch 9.0.2122: [security]: prevent overflow in indenting

Problem: [security]: prevent overflow in indenting
Solution: use long long and remove cast to (int)

The shiftwidth option values are defined as being long. However, when
calculating the actual amount of indent, we cast down to (int), which
may cause the shiftwidth value to become negative and later it may even
cause Vim to try to allocate a huge amount of memory.

We already use long and long long variable types to calculate the indent
(and detect possible overflows), so the cast to (int) seems superfluous
and can be safely removed. So let's just remove the (int) cast and
calculate the indent using longs.

Additionally, the 'shiftwidth' option value is also used when determining
the actual 'cino' options. There it can again cause another overflow, so
make sure it is safe in parse_cino() as well.

fixes: #13554
closes: #13555

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/cindent.c		diff \| blob \| blame \| history
src/ops.c		diff \| blob \| blame \| history
src/testdir/test_indent.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history