The cmd_int function in cmdbuf.c does not check integer overflows:
for (p = cmdbuf; *p >= '0' && *p <= '9'; p++)
n = (n * 10) + (*p - '0');
Though one doesn't normally enter huge numbers, the result can be surprising.
Since the value (as stored in the variable number) is generally cast to int in command.c (which also makes the tests number > 0 before the cast incorrect, in particular), an immediate solution can be to saturate to INT_MAX by replacing the second line by
n = n > (INT_MAX - (*p - '0')) / 10 ? INT_MAX : (n * 10) + (*p - '0');
This should avoid integer overflows completely.
Note that the consequence is that the values will be limited to INT_MAX for command P ("Go to the line containing byte offset N in the file."). However, this could affect only the viewing of files larger than 2 GB. Ideally, the types in the code should be cleaned up.
The
cmd_intfunction incmdbuf.cdoes not check integer overflows:Though one doesn't normally enter huge numbers, the result can be surprising.
Since the value (as stored in the variable
number) is generally cast tointincommand.c(which also makes the testsnumber > 0before the cast incorrect, in particular), an immediate solution can be to saturate toINT_MAXby replacing the second line byThis should avoid integer overflows completely.
Note that the consequence is that the values will be limited to
INT_MAXfor commandP("Go to the line containing byte offset N in the file."). However, this could affect only the viewing of files larger than 2 GB. Ideally, the types in the code should be cleaned up.