To: vim_dev@googlegroups.com Subject: Patch 8.1.0048 Fcc: outbox From: Bram Moolenaar <Bram@moolenaar.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.1.0048 Problem: vim_str2nr() does not handle numbers close to the maximum. Solution: Check for overflow more precisely. (Ken Takata, closes #2746) Files: src/charset.c *** ../vim-8.1.0047/src/charset.c 2018-04-25 21:59:10.000000000 +0200 --- src/charset.c 2018-06-12 17:20:17.692062915 +0200 *************** *** 1928,1935 **** while ('0' <= *ptr && *ptr <= '1') { /* avoid ubsan error for overflow */ ! if (un < UVARNUM_MAX / 2) ! un = 2 * un + (unsigned long)(*ptr - '0'); else un = UVARNUM_MAX; ++ptr; --- 1928,1935 ---- while ('0' <= *ptr && *ptr <= '1') { /* avoid ubsan error for overflow */ ! if (un <= UVARNUM_MAX / 2) ! un = 2 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; ++ptr; *************** *** 1943,1949 **** while ('0' <= *ptr && *ptr <= '7') { /* avoid ubsan error for overflow */ ! if (un < UVARNUM_MAX / 8) un = 8 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; --- 1943,1949 ---- while ('0' <= *ptr && *ptr <= '7') { /* avoid ubsan error for overflow */ ! if (un <= UVARNUM_MAX / 8) un = 8 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; *************** *** 1960,1966 **** while (vim_isxdigit(*ptr)) { /* avoid ubsan error for overflow */ ! if (un < UVARNUM_MAX / 16) un = 16 * un + (uvarnumber_T)hex2nr(*ptr); else un = UVARNUM_MAX; --- 1960,1966 ---- while (vim_isxdigit(*ptr)) { /* avoid ubsan error for overflow */ ! if (un <= UVARNUM_MAX / 16) un = 16 * un + (uvarnumber_T)hex2nr(*ptr); else un = UVARNUM_MAX; *************** *** 1974,1982 **** /* decimal */ while (VIM_ISDIGIT(*ptr)) { /* avoid ubsan error for overflow */ ! if (un < UVARNUM_MAX / 10) ! un = 10 * un + (uvarnumber_T)(*ptr - '0'); else un = UVARNUM_MAX; ++ptr; --- 1974,1985 ---- /* decimal */ while (VIM_ISDIGIT(*ptr)) { + uvarnumber_T digit = (uvarnumber_T)(*ptr - '0'); + /* avoid ubsan error for overflow */ ! if (un < UVARNUM_MAX / 10 ! || (un == UVARNUM_MAX / 10 && digit <= UVARNUM_MAX % 10)) ! un = 10 * un + digit; else un = UVARNUM_MAX; ++ptr; *** ../vim-8.1.0047/src/version.c 2018-06-12 17:03:35.949611796 +0200 --- src/version.c 2018-06-12 17:24:32.210718899 +0200 *************** *** 763,764 **** --- 763,766 ---- { /* Add new patch number below this line */ + /**/ + 48, /**/ -- Everyone has a photographic memory. Some don't have film. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///