patch 9.2.0487: viminfo: possible signed int overflow in register array
Commit:
https://github.com/vim/vim/commit/ee49669e8f3b5ecdcfd2fdd08aeaac0e3de26ea8
Author: Yasuhiro Matsumoto <[email protected]>
Date: Fri May 15 16:44:46 2026 +0000
patch 9.2.0487: viminfo: possible signed int overflow in register array
Problem: viminfo: possible signed int overflow in register array growth
Solution: Cast to size_t (Yasuhiro Matsumoto)
The expression `limit * 2 * sizeof(string_T)` in read_viminfo_register()
multiplies in int and overflows once limit exceeds INT_MAX/2. Cast to
size_t first so the size computation stays unsigned. Defensive only;
reaching this path requires registers consuming many gigabytes.
closes: #20207
Signed-off-by: Yasuhiro Matsumoto <[email protected]>
Signed-off-by: Christian Brabandt <[email protected]>
diff --git a/src/version.c b/src/version.c
index 046cc8342..0714ec1ac 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 487,
/**/
486,
/**/
diff --git a/src/viminfo.c b/src/viminfo.c
index d05900544..bb84726c8 100644
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -1706,7 +1706,7 @@ read_viminfo_register(vir_T *virp, int force)
if (size == limit)
{
string_T *new_array = (string_T *)
- alloc(limit * 2 * sizeof(string_T));
+ alloc((size_t)limit * 2 * sizeof(string_T));
if (new_array == NULL)
{
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1wNvtN-006XC8-Jl%40256bit.org.
