From 39b29bf6c5589bb2dc7d2c4c0a24a851fb67113e Mon Sep 17 00:00:00 2001
From: Christian Brabandt <[email protected]>
Date: Tue, 14 Nov 2023 21:33:29 +0100
Subject: [PATCH 5/9] backport-CVE-2023-48235: patch 9.0.2110: [security]:
 overflow in ex address parsing

Problem:  [security]: overflow in ex address parsing
Solution: Verify that lnum is positive, before substracting from
          LONG_MAX

[security]: overflow in ex address parsing

When parsing relative ex addresses one may unintentionally cause an
overflow (because LONG_MAX - lnum will overflow for negative addresses).

So verify that lnum is actually positive before doing the overflow
check.

Signed-off-by: Christian Brabandt <[email protected]>
Signed-off-by: Yi Lin <[email protected]>
---
 src/ex_docmd.c             | 2 +-
 src/testdir/test_excmd.vim | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index 06837ac92..01d411a63 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -4644,7 +4644,7 @@ get_address(
 		    lnum -= n;
 		else
 		{
-		    if (n >= LONG_MAX - lnum)
+		    if (lnum >= 0 && n >= LONG_MAX - lnum)
 		    {
 			emsg(_(e_line_number_out_of_range));
 			goto error;
diff --git a/src/testdir/test_excmd.vim b/src/testdir/test_excmd.vim
index 3637351f6..47fc26726 100644
--- a/src/testdir/test_excmd.vim
+++ b/src/testdir/test_excmd.vim
@@ -724,5 +724,9 @@ func Test_write_after_rename()
   bwipe!
 endfunc
 
+" catch address lines overflow
+func Test_ex_address_range_overflow()
+  call assert_fails(':--+foobar', 'E492:')
+endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab
-- 
2.41.0