patch 8.0.0879: crash when shifting with huge number

Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes #1945)

diff --git a/src/ops.c b/src/ops.c
index 0f42dea0031f21fc5f4ce6c190a8454344b81e4f..5c58e523f3879d490b20d31dc8b47767265fa863 100644 (file)
--- a/src/ops.c
+++ b/src/ops.c
@@ -396,7 +396,10 @@ shift_block(oparg_T *oap, int amount)
        return;
 
     /* total is number of screen columns to be inserted/removed */
-    total = amount * p_sw;
+    total = (int)((unsigned)amount * (unsigned)p_sw);
+    if ((total / p_sw) != amount)
+       return; /* multiplication overflow */
+
     oldp = ml_get_curline();
 
     if (!left)

diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
index 371fab57a1b7be03cc10e19d49fc9a0a49a0838e..97b884fe0c3e92400c364aca222cb8c525fdfbda 100644 (file)
--- a/src/testdir/test_visual.vim
+++ b/src/testdir/test_visual.vim
@@ -18,6 +18,14 @@ func Test_block_shift_multibyte()
   q!
 endfunc
 
+func Test_block_shift_overflow()
+  " This used to cause a multiplication overflow followed by a crash.
+  new
+  normal ii
+  exe "normal \<C-V>876543210>"
+  q!
+endfunc
+
 func Test_dotregister_paste()
   new
   exe "norm! ihello world\<esc>"

diff --git a/src/version.c b/src/version.c
index de89ce45af2ea4083bc2fc815101d4278eaec5b9..784f6c1e279f0816f11bf2e8eda5c0ffd9df2a1f 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -769,6 +769,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    879,
 /**/
     878,
 /**/