summaryrefslogtreecommitdiff
path: root/src/ex_cmds.c
diff options
context:
space:
mode:
authorBram Moolenaar <Bram@vim.org>2017-04-02 15:45:17 +0200
committerBram Moolenaar <Bram@vim.org>2017-04-02 15:45:17 +0200
commitfa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9 (patch)
treeae65d2686b40af1da994593c849770d973651095 /src/ex_cmds.c
parent69f40be64555d50f603c6f22722cf762aaa6bbc1 (diff)
downloadvim-git-fa0ad0bb0b4255e64ebcf9269d60a942e0ae7ff9.tar.gz
patch 8.0.0537: illegal memory access with :z and large countv8.0.0537
Problem: Illegal memory access with :z and large count. Solution: Check for number overflow, using long instead of int. (Dominique Pelle, closes #1612)
Diffstat (limited to 'src/ex_cmds.c')
-rw-r--r--src/ex_cmds.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index 6940e5527..4b0bdef59 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -4564,7 +4564,7 @@ ex_change(exarg_T *eap)
ex_z(exarg_T *eap)
{
char_u *x;
- int bigness;
+ long bigness;
char_u *kind;
int minus = 0;
linenr_T start, end, curs, i;
@@ -4601,7 +4601,12 @@ ex_z(exarg_T *eap)
}
else
{
- bigness = atoi((char *)x);
+ bigness = atol((char *)x);
+
+ /* bigness could be < 0 if atol(x) overflows. */
+ if (bigness > 2 * curbuf->b_ml.ml_line_count || bigness < 0)
+ bigness = 2 * curbuf->b_ml.ml_line_count;
+
p_window = bigness;
if (*kind == '=')
bigness += 2;