patch 8.0.1470: integer overflow when using regexp pattern

Problem:    Integer overflow when using regexp pattern. (geeknik)
Solution:   Use a long instead of int. (Christian Brabandt, closes #2251)

diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c
index afd42383cf8fa0caf0956e221a8f0190cf9cfa83..43fe5dc4d4b2bd6d736559086578341571aad5e6 100644 (file)
--- a/src/regexp_nfa.c
+++ b/src/regexp_nfa.c
@@ -1600,7 +1600,7 @@ nfa_regatom(void)
 
                default:
                    {
-                       int     n = 0;
+                       long    n = 0;
                        int     cmp = c;
 
                        if (c == '<' || c == '>')
@@ -1628,7 +1628,14 @@ nfa_regatom(void)
                                /* \%{n}v  \%{n}<v  \%{n}>v  */
                                EMIT(cmp == '<' ? NFA_VCOL_LT :
                                     cmp == '>' ? NFA_VCOL_GT : NFA_VCOL);
-                           EMIT(n);
+#if VIM_SIZEOF_INT < VIM_SIZEOF_LONG
+                           if (n > INT_MAX)
+                           {
+                               EMSG(_("E951: \\% value too large"));
+                               return FAIL;
+                           }
+#endif
+                           EMIT((int)n);
                            break;
                        }
                        else if (c == '\'' && n == 0)
@@ -3970,7 +3977,7 @@ static int nfa_match;
 #ifdef FEAT_RELTIME
 static proftime_T  *nfa_time_limit;
 static int        *nfa_timed_out;
-static int         nfa_time_count;
+static int         nfa_time_count;
 #endif
 
 static void copy_pim(nfa_pim_T *to, nfa_pim_T *from);
@@ -4068,10 +4075,10 @@ copy_ze_off(regsub_T *to, regsub_T *from)
        if (REG_MULTI)
        {
            if (from->list.multi[0].end_lnum >= 0)
-            {
+           {
                to->list.multi[0].end_lnum = from->list.multi[0].end_lnum;
                to->list.multi[0].end_col = from->list.multi[0].end_col;
-            }
+           }
        }
        else
        {
@@ -5124,9 +5131,9 @@ recursive_regmatch(
     }
 
     if (state->c == NFA_START_INVISIBLE_BEFORE
-        || state->c == NFA_START_INVISIBLE_BEFORE_FIRST
-        || state->c == NFA_START_INVISIBLE_BEFORE_NEG
-        || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST)
+           || state->c == NFA_START_INVISIBLE_BEFORE_FIRST
+           || state->c == NFA_START_INVISIBLE_BEFORE_NEG
+           || state->c == NFA_START_INVISIBLE_BEFORE_NEG_FIRST)
     {
        /* The recursive match must end at the current position. When "pim" is
         * not NULL it specifies the current position. */
@@ -6302,7 +6309,7 @@ nfa_regmatch(
                        }
                    }
                    else if (state->c < 0 ? check_char_class(state->c, curc)
-                               : (curc == state->c
+                              : (curc == state->c
                                   || (rex.reg_ic && MB_TOLOWER(curc)
                                                    == MB_TOLOWER(state->c))))
                    {
@@ -6863,7 +6870,7 @@ nfa_regmatch(
                        && (REG_MULTI
                            ? (reglnum < nfa_endp->se_u.pos.lnum
                               || (reglnum == nfa_endp->se_u.pos.lnum
-                                  && (int)(reginput - regline)
+                                  && (int)(reginput - regline)
                                                    < nfa_endp->se_u.pos.col))
                            : reginput < nfa_endp->se_u.ptr))))
        {

diff --git a/src/version.c b/src/version.c
index 5786860a5b2ca925867c3879be0256962aa67ffd..5d417029be89bc53a7ca25716e76b45be0c33485 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -771,6 +771,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1470,
 /**/
     1469,
 /**/