File _service:tar_scm:backport-CVE-2023-46246.patch of Package vim

From 9198c1f2b1ddecde22af918541e0de2a32f0f45a Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 26 Oct 2023 21:29:32 +0200
Subject: [PATCH] patch 9.0.2068: [security] overflow in :history

Problem:  [security] overflow in :history
Solution: Check that value fits into int

The get_list_range() function, used to parse numbers for the :history
and :clist command internally uses long variables to store the numbers.
However function arguments are integer pointers, which can then
overflow.

Check that the return value from the vim_str2nr() function is not larger
than INT_MAX and if yes, bail out with an error. I guess nobody uses a
cmdline/clist history that needs so many entries... (famous last words).

It is only a moderate vulnerability, so impact should be low.

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/cmdhist.c                |  5 ++++-
 src/errors.h                 |  2 ++
 src/ex_getln.c               | 10 +++++++++-
 src/testdir/test_history.vim |  8 ++++++++
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/cmdhist.c b/src/cmdhist.c
index d398ca7a687b5..96a9b3e95b86f 100644
--- a/src/cmdhist.c
+++ b/src/cmdhist.c
@@ -740,7 +740,10 @@ ex_history(exarg_T *eap)
 	end = arg;
     if (!get_list_range(&end, &hisidx1, &hisidx2) || *end != NUL)
     {
-	semsg(_(e_trailing_characters_str), end);
+	if (*end != NUL)
+	    semsg(_(e_trailing_characters_str), end);
+	else
+	    semsg(_(e_val_too_large), arg);
 	return;
     }
 
diff --git a/src/errors.h b/src/errors.h
index 79a785e1e2953..72957d8b93bdc 100644
--- a/src/errors.h
+++ b/src/errors.h
@@ -3306,3 +3306,5 @@ EXTERN char e_substitute_nesting_too_deep[]
 #endif
 EXTERN char e_window_unexpectedly_close_while_searching_for_tags[]
 	INIT(= N_("E1299: Window unexpectedly closed while searching for tags"));
+EXTERN char e_val_too_large[]
+	INIT(= N_("E1510: Value too large: %s"));
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 9683e2ebd5af5..8f0be520886be 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -4326,6 +4326,10 @@ get_list_range(char_u **str, int *num1, int *num2)
     {
 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
 	*str += len;
+	// overflow
+	if (num > INT_MAX)
+	    return FAIL;
+
 	*num1 = (int)num;
 	first = TRUE;
     }
@@ -4336,8 +4340,12 @@ get_list_range(char_u **str, int *num1, int *num2)
 	vim_str2nr(*str, NULL, &len, 0, &num, NULL, 0, FALSE);
 	if (len > 0)
 	{
-	    *num2 = (int)num;
 	    *str = skipwhite(*str + len);
+	    // overflow
+	    if (num > INT_MAX)
+		return FAIL;
+
+	    *num2 = (int)num;
 	}
 	else if (!first)		// no number given at all
 	    return FAIL;
diff --git a/src/testdir/test_history.vim b/src/testdir/test_history.vim
index bb6d67172585e..482328ab4aaef 100644
--- a/src/testdir/test_history.vim
+++ b/src/testdir/test_history.vim
@@ -249,4 +249,12 @@ func Test_history_crypt_key()
   set key& bs& ts&
 endfunc
 
+" The following used to overflow and causing an use-after-free
+func Test_history_max_val()
+
+  set history=10
+  call assert_fails(':history 2147483648', 'E1510:')
+  set history&
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab