aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-25 03:54:15 -04:00
Code Activity

patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Browse Source 
Problem:  heap-use-after-free and stack-use-after-scope with :14verbose
          when using :return and :try (after 9.1.1063).
Solution: Move back the vim_free(tofree) and the scope of numbuf[].
          (zeertzjq)

closes: #16563

Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2025-02-02 08:55:57 +01:00
committed by Christian Brabandt
parent 3a621188ee
commit 2101230f40
3 changed files with 42 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/testdir/test_user_func.vim
View File

@@ -987,4 +987,36 @@ func Test_func_curly_brace_invalid_name()
delfunc Fail delfunc Fail
endfunc endfunc
func Test_func_return_in_try_verbose()
func TryReturnList()
try
return [1, 2, 3]
endtry
endfunc
func TryReturnNumber()
try
return 123
endtry
endfunc
func TryReturnOverlongString()
try
return repeat('a', 9999)
endtry
endfunc
" This should not cause heap-use-after-free
call assert_match('\n:return \[1, 2, 3\] made pending\n',
\ execute('14verbose call TryReturnList()'))
" This should not cause stack-use-after-scope
call assert_match('\n:return 123 made pending\n',
\ execute('14verbose call TryReturnNumber()'))
" An overlong string is truncated
call assert_match('\n:return a\{100,}\.\.\.',
\ execute('14verbose call TryReturnOverlongString()'))
delfunc TryReturnList
delfunc TryReturnNumber
delfunc TryReturnOverlongString
endfunc
" vim: shiftwidth=2 sts=2 expandtab " vim: shiftwidth=2 sts=2 expandtab

19
src/userfunc.c
View File

@@ -682,12 +682,12 @@ make_ufunc_name_readable(char_u *name, char_u *buf, size_t bufsize)
return buf; return buf;
} }
/*
* Get a name for a lambda. Returned in static memory.
*/
static char_u lambda_name[8 + NUMBUFLEN]; static char_u lambda_name[8 + NUMBUFLEN];
static size_t lambda_namelen = 0; static size_t lambda_namelen = 0;
/*
* Get a name for a lambda. Returned in static memory.
*/
char_u * char_u *
get_lambda_name(void) get_lambda_name(void)
{ {
@@ -6820,17 +6820,13 @@ discard_pending_return(void *rettv)
get_return_cmd(void *rettv) get_return_cmd(void *rettv)
{ {
char_u *s = NULL; char_u *s = NULL;
char_u *tofree = NULL;
char_u numbuf[NUMBUFLEN];
size_t slen = 0; size_t slen = 0;
size_t IObufflen; size_t IObufflen;
if (rettv != NULL) if (rettv != NULL)
{
char_u *tofree = NULL;
char_u numbuf[NUMBUFLEN];
s = echo_string((typval_T *)rettv, &tofree, numbuf, 0); s = echo_string((typval_T *)rettv, &tofree, numbuf, 0);
vim_free(tofree);
}
if (s == NULL) if (s == NULL)
s = (char_u *)""; s = (char_u *)"";
else else
@@ -6839,11 +6835,12 @@ get_return_cmd(void *rettv)
STRCPY(IObuff, ":return "); STRCPY(IObuff, ":return ");
STRNCPY(IObuff + 8, s, IOSIZE - 8); STRNCPY(IObuff + 8, s, IOSIZE - 8);
IObufflen = 8 + slen; IObufflen = 8 + slen;
if (slen + 8 >= IOSIZE) if (IObufflen >= IOSIZE)
{ {
STRCPY(IObuff + IOSIZE - 4, "..."); STRCPY(IObuff + IOSIZE - 4, "...");
IObufflen += 3; IObufflen = IOSIZE - 1;
} }
vim_free(tofree);
return vim_strnsave(IObuff, IObufflen); return vim_strnsave(IObuff, IObufflen);
} }

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
1066,
/**/ /**/
1065, 1065,
/**/ /**/