Blame SOURCES/vim-cve-var-retab.patch

44ca1a
diff --git a/src/indent.c b/src/indent.c
44ca1a
index e1c6f52..a002b4b 100644
44ca1a
--- a/src/indent.c
44ca1a
+++ b/src/indent.c
44ca1a
@@ -18,18 +18,19 @@
44ca1a
 /*
44ca1a
  * Set the integer values corresponding to the string setting of 'vartabstop'.
44ca1a
  * "array" will be set, caller must free it if needed.
44ca1a
+ * Return FAIL for an error.
44ca1a
  */
44ca1a
     int
44ca1a
 tabstop_set(char_u *var, int **array)
44ca1a
 {
44ca1a
-    int valcount = 1;
44ca1a
-    int t;
44ca1a
-    char_u *cp;
44ca1a
+    int	    valcount = 1;
44ca1a
+    int	    t;
44ca1a
+    char_u  *cp;
44ca1a
 
44ca1a
     if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
44ca1a
     {
44ca1a
 	*array = NULL;
44ca1a
-	return TRUE;
44ca1a
+	return OK;
44ca1a
     }
44ca1a
 
44ca1a
     for (cp = var; *cp != NUL; ++cp)
44ca1a
@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
44ca1a
 		if (cp != end)
44ca1a
 		    emsg(_(e_positive));
44ca1a
 		else
44ca1a
-		    emsg(_(e_invarg));
44ca1a
-		return FALSE;
44ca1a
+		    semsg(_(e_invarg2), cp);
44ca1a
+		return FAIL;
44ca1a
 	    }
44ca1a
 	}
44ca1a
 
44ca1a
@@ -55,26 +56,36 @@ tabstop_set(char_u *var, int **array)
44ca1a
 	    ++valcount;
44ca1a
 	    continue;
44ca1a
 	}
44ca1a
-	emsg(_(e_invarg));
44ca1a
-	return FALSE;
44ca1a
+	semsg(_(e_invarg2), var);
44ca1a
+	return FAIL;
44ca1a
     }
44ca1a
 
44ca1a
     *array = ALLOC_MULT(int, valcount + 1);
44ca1a
     if (*array == NULL)
44ca1a
-	return FALSE;
44ca1a
+	return FAIL;
44ca1a
     (*array)[0] = valcount;
44ca1a
 
44ca1a
     t = 1;
44ca1a
     for (cp = var; *cp != NUL;)
44ca1a
     {
44ca1a
-	(*array)[t++] = atoi((char *)cp);
44ca1a
-	while (*cp  != NUL && *cp != ',')
44ca1a
+	int n = atoi((char *)cp);
44ca1a
+
44ca1a
+	// Catch negative values, overflow and ridiculous big values.
44ca1a
+	if (n < 0 || n > 9999)
44ca1a
+	{
44ca1a
+	    semsg(_(e_invarg2), cp);
44ca1a
+	    vim_free(*array);
44ca1a
+	    *array = NULL;
44ca1a
+	    return FAIL;
44ca1a
+	}
44ca1a
+	(*array)[t++] = n;
44ca1a
+	while (*cp != NUL && *cp != ',')
44ca1a
 	    ++cp;
44ca1a
 	if (*cp != NUL)
44ca1a
 	    ++cp;
44ca1a
     }
44ca1a
 
44ca1a
-    return TRUE;
44ca1a
+    return OK;
44ca1a
 }
44ca1a
 
44ca1a
 /*
44ca1a
@@ -1561,7 +1572,7 @@ ex_retab(exarg_T *eap)
44ca1a
 
44ca1a
 #ifdef FEAT_VARTABS
44ca1a
     new_ts_str = eap->arg;
44ca1a
-    if (!tabstop_set(eap->arg, &new_vts_array))
44ca1a
+    if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
44ca1a
 	return;
44ca1a
     while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
44ca1a
 	++(eap->arg);
44ca1a
@@ -1577,12 +1588,18 @@ ex_retab(exarg_T *eap)
44ca1a
     else
44ca1a
 	new_ts_str = vim_strnsave(new_ts_str, eap->arg - new_ts_str);
44ca1a
 #else
44ca1a
-    new_ts = getdigits(&(eap->arg));
44ca1a
-    if (new_ts < 0)
44ca1a
+    ptr = eap->arg;
44ca1a
+    new_ts = getdigits(&ptr);
44ca1a
+    if (new_ts < 0 && *eap->arg == '-')
44ca1a
     {
44ca1a
 	emsg(_(e_positive));
44ca1a
 	return;
44ca1a
     }
44ca1a
+    if (new_ts < 0 || new_ts > 9999)
44ca1a
+    {
44ca1a
+	semsg(_(e_invarg2), eap->arg);
44ca1a
+	return;
44ca1a
+    }
44ca1a
     if (new_ts == 0)
44ca1a
 	new_ts = curbuf->b_p_ts;
44ca1a
 #endif
44ca1a
diff --git a/src/option.c b/src/option.c
44ca1a
index b9d7edb..9a3b71e 100644
44ca1a
--- a/src/option.c
44ca1a
+++ b/src/option.c
44ca1a
@@ -2349,9 +2349,9 @@ didset_options2(void)
44ca1a
 #endif
44ca1a
 #ifdef FEAT_VARTABS
44ca1a
     vim_free(curbuf->b_p_vsts_array);
44ca1a
-    tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
44ca1a
+    (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
44ca1a
     vim_free(curbuf->b_p_vts_array);
44ca1a
-    tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
44ca1a
+    (void)tabstop_set(curbuf->b_p_vts,  &curbuf->b_p_vts_array);
44ca1a
 #endif
44ca1a
 }
44ca1a
 
44ca1a
@@ -5828,7 +5828,7 @@ buf_copy_options(buf_T *buf, int flags)
44ca1a
 	    buf->b_p_vsts = vim_strsave(p_vsts);
44ca1a
 	    COPY_OPT_SCTX(buf, BV_VSTS);
44ca1a
 	    if (p_vsts && p_vsts != empty_option)
44ca1a
-		tabstop_set(p_vsts, &buf->b_p_vsts_array);
44ca1a
+		(void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
44ca1a
 	    else
44ca1a
 		buf->b_p_vsts_array = 0;
44ca1a
 	    buf->b_p_vsts_nopaste = p_vsts_nopaste
44ca1a
@@ -5988,7 +5988,7 @@ buf_copy_options(buf_T *buf, int flags)
44ca1a
 		buf->b_p_isk = save_p_isk;
44ca1a
 #ifdef FEAT_VARTABS
44ca1a
 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
44ca1a
-		    tabstop_set(p_vts, &buf->b_p_vts_array);
44ca1a
+		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
44ca1a
 		else
44ca1a
 		    buf->b_p_vts_array = NULL;
44ca1a
 #endif
44ca1a
@@ -6003,7 +6003,7 @@ buf_copy_options(buf_T *buf, int flags)
44ca1a
 		buf->b_p_vts = vim_strsave(p_vts);
44ca1a
 		COPY_OPT_SCTX(buf, BV_VTS);
44ca1a
 		if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
44ca1a
-		    tabstop_set(p_vts, &buf->b_p_vts_array);
44ca1a
+		    (void)tabstop_set(p_vts, &buf->b_p_vts_array);
44ca1a
 		else
44ca1a
 		    buf->b_p_vts_array = NULL;
44ca1a
 #endif
44ca1a
@@ -6700,7 +6700,7 @@ paste_option_changed(void)
44ca1a
 	    if (buf->b_p_vsts_array)
44ca1a
 		vim_free(buf->b_p_vsts_array);
44ca1a
 	    if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
44ca1a
-		tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
44ca1a
+		(void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
44ca1a
 	    else
44ca1a
 		buf->b_p_vsts_array = 0;
44ca1a
 #endif
44ca1a
diff --git a/src/optionstr.c b/src/optionstr.c
44ca1a
index 521242d..db015e8 100644
44ca1a
--- a/src/optionstr.c
44ca1a
+++ b/src/optionstr.c
44ca1a
@@ -2215,7 +2215,7 @@ ambw_end:
44ca1a
 	    if (errmsg == NULL)
44ca1a
 	    {
44ca1a
 		int *oldarray = curbuf->b_p_vsts_array;
44ca1a
-		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
44ca1a
+		if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
44ca1a
 		{
44ca1a
 		    if (oldarray)
44ca1a
 			vim_free(oldarray);
44ca1a
@@ -2254,7 +2254,7 @@ ambw_end:
44ca1a
 	    {
44ca1a
 		int *oldarray = curbuf->b_p_vts_array;
44ca1a
 
44ca1a
-		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
44ca1a
+		if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
44ca1a
 		{
44ca1a
 		    vim_free(oldarray);
44ca1a
 #ifdef FEAT_FOLDING
44ca1a
diff --git a/src/testdir/test_retab.vim b/src/testdir/test_retab.vim
44ca1a
index b792da5..c7190aa 100644
44ca1a
--- a/src/testdir/test_retab.vim
44ca1a
+++ b/src/testdir/test_retab.vim
44ca1a
@@ -75,6 +75,9 @@ endfunc
44ca1a
 func Test_retab_error()
44ca1a
   call assert_fails('retab -1',  'E487:')
44ca1a
   call assert_fails('retab! -1', 'E487:')
44ca1a
+  call assert_fails('ret -1000', 'E487:')
44ca1a
+  call assert_fails('ret 10000', 'E475:')
44ca1a
+  call assert_fails('ret 80000000000000000000', 'E475:')
44ca1a
 endfunc
44ca1a
 
44ca1a
 " vim: shiftwidth=2 sts=2 expandtab