averello/vim-mirror
1
0
Fork 0
mirror of https://github.com/vim/vim.git synced 2026-05-28 00:21:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch 9.2.0023: fix integer overflow in ml_append_int() for long lines

Browse Source 
Problem:  ml_append_int() crashes when appending lines near MAXCOL
          length due to signed integer overflow in space_needed
          calculation.
Solution: Change 'space_needed' from int to long to handle the
          'len + INDEX_SIZE' computation without overflow. Update
          db_free comparison casts from (int) to (long) to match.

Note: supported by AI claude

related: #17935
related: #18953
related: #19332

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2026-02-18 21:49:58 +00:00
parent f06b3f529a
commit 0ece393844
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/memline.c
+4 -4
View File
@@ -2941,7 +2941,7 @@ ml_append_int(
int line_count; // number of indexes in current block
int offset;
int from, to;
int space_needed; // space needed for new line
long space_needed; // space needed for new line
int page_size;
int page_count;
int db_idx; // index for lnum in data block
@@ -3018,7 +3018,7 @@ ml_append_int(
* - not appending to the last line in the file
* insert in front of the next block.
*/
if ((int)dp->db_free < space_needed && db_idx == line_count - 1
if ((long)dp->db_free < space_needed && db_idx == line_count - 1
&& lnum < buf->b_ml.ml_line_count)
{
/*
@@ -3041,7 +3041,7 @@ ml_append_int(
++buf->b_ml.ml_line_count;
if ((int)dp->db_free >= space_needed) // enough room in data block
if ((long)dp->db_free >= space_needed) // enough room in data block
{
/*
* Insert the new line in an existing data block, or in the data block
@@ -3142,7 +3142,7 @@ ml_append_int(
data_moved = ((dp->db_index[db_idx]) & DB_INDEX_MASK) -
dp->db_txt_start;
total_moved = data_moved + lines_moved * INDEX_SIZE;
if ((int)dp->db_free + total_moved >= space_needed)
if ((long)dp->db_free + total_moved >= space_needed)
{
in_left = TRUE; // put new line in left block
space_needed = total_moved;
src/version.c
+2
View File
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
23,
/**/
22,
/**/