patch 9.0.2107: [security]: FPE in adjust_plines_for_skipcol
Commit:
https://github.com/vim/vim/commit/cb0b99f0672d8446585d26e998343dceca17d1ce
Author: Christian Brabandt <[email protected]>
Date: Tue Nov 14 20:05:59 2023 +0100
patch 9.0.2107: [security]: FPE in adjust_plines_for_skipcol
Problem: [security]: FPE in adjust_plines_for_skipcol
Solution: don't divide by zero, return zero
Prevent a floating point exception when calculating w_skipcol (which can
happen with a small window when the number option is set and cpo+=n).
Add a test to verify
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/move.c b/src/move.c
index ce06dc339..fbb352a32 100644
--- a/src/move.c
+++ b/src/move.c
@@ -45,8 +45,9 @@ adjust_plines_for_skipcol(win_T *wp)
return 0;
int width = wp->w_width - win_col_off(wp);
- if (wp->w_skipcol >= width)
- return (wp->w_skipcol - width) / (width + win_col_off2(wp)) + 1;
+ int w2 = width + win_col_off2(wp);
+ if (wp->w_skipcol >= width && w2 > 0)
+ return (wp->w_skipcol - width) / w2 + 1;
return 0;
}
diff --git a/src/testdir/test_scroll_opt.vim b/src/testdir/test_scroll_opt.vim
index d5d08a24c..342d382c2 100644
--- a/src/testdir/test_scroll_opt.vim
+++ b/src/testdir/test_scroll_opt.vim
@@ -926,4 +926,23 @@ func Test_smoothscroll_cursor_top()
call StopVimInTerminal(buf)
endfunc
+" Division by zero, shouldn't crash
+func Test_smoothscroll_crash()
+ CheckScreendump
+
+ let lines =<< trim END
+ 20 new
+ vsp
+ put =repeat('aaaa', 20)
+ set nu fdc=1 smoothscroll cpo+=n
+ vert resize 0
+ exe "norm! 0\<c-e>"
+ END
+ call writefile(lines, 'XSmoothScrollCrash', 'D')
+ let buf = RunVimInTerminal('-u NONE -S XSmoothScrollCrash', #{rows: 12,
cols:40})
+ call term_sendkeys(buf, "2\<C-E>\<C-L>")
+
+ call StopVimInTerminal(buf)
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index ec021985f..684f3acf4 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 2107,
/**/
2106,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1r3jhc-00DAFb-Ng%40256bit.org.
