From ab350f89f9646e07aefe16a32ba3ddb847496b4a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Thu, 28 Feb 2019 06:25:00 +0100
Subject: patch 8.1.0985: crash with large number in regexp

Problem:    Crash with large number in regexp. (Kuang-che Wu)
Solution:   Check for long becoming negative int. (closes #)
---
 src/regexp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/regexp.c')

diff --git a/src/regexp.c b/src/regexp.c
index 5c06ada1b..d7c577077 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -2228,7 +2228,7 @@ regatom(int *flagp)
 				  default:  i = -1; break;
 			      }
 
-			      if (i < 0)
+			      if (i < 0 || i > INT_MAX)
 				  EMSG2_RET_NULL(
 					_("E678: Invalid character after %s%%[dxouU]"),
 					reg_magic == MAGIC_ALL);
@@ -3293,7 +3293,7 @@ coll_get_char(void)
 	case 'u': nr = gethexchrs(4); break;
 	case 'U': nr = gethexchrs(8); break;
     }
-    if (nr < 0)
+    if (nr < 0 || nr > INT_MAX)
     {
 	/* If getting the number fails be backwards compatible: the character
 	 * is a backslash. */
-- 
cgit v1.2.1