mirror of
https://github.com/vim/vim.git
synced 2025-09-23 03:43:49 -04:00
patch 9.1.0017: [security]: use-after-free in eval1_emsg()
Problem: use-after-free in eval1_emsg() when an empty
line follows a lambda (by @yu3s)
Solution: only set evalarg->eval_using_cmdline = FALSE when
the *arg pointer is not null
fixes: #13833
closes: #13841
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Yegappan Lakshmanan
committed by
Christian Brabandt
Christian Brabandt
parent
71d0ba07a3
commit
28d71b566a
11
src/eval.c
11
src/eval.c
@@ -2699,6 +2699,9 @@ eval_next_non_blank(char_u *arg, evalarg_T *evalarg, int *getnext)
|
|||||||
/*
|
/*
|
||||||
* To be called after eval_next_non_blank() sets "getnext" to TRUE.
|
* To be called after eval_next_non_blank() sets "getnext" to TRUE.
|
||||||
* Only called for Vim9 script.
|
* Only called for Vim9 script.
|
||||||
|
*
|
||||||
|
* If "arg" is not NULL, then the caller should assign the return value to
|
||||||
|
* "arg".
|
||||||
*/
|
*/
|
||||||
char_u *
|
char_u *
|
||||||
eval_next_line(char_u *arg, evalarg_T *evalarg)
|
eval_next_line(char_u *arg, evalarg_T *evalarg)
|
||||||
@@ -2747,8 +2750,12 @@ eval_next_line(char_u *arg, evalarg_T *evalarg)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Advanced to the next line, "arg" no longer points into the previous
|
// Advanced to the next line, "arg" no longer points into the previous
|
||||||
// line.
|
// line. The caller assigns the return value to "arg".
|
||||||
evalarg->eval_using_cmdline = FALSE;
|
// If "arg" is NULL, then the return value is discarded. In that case,
|
||||||
|
// "arg" still points to the previous line. So don't reset
|
||||||
|
// "eval_using_cmdline".
|
||||||
|
if (arg != NULL)
|
||||||
|
evalarg->eval_using_cmdline = FALSE;
|
||||||
return skipwhite(line);
|
return skipwhite(line);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -4906,6 +4906,31 @@ def Test_for_stmt_space_before_type()
|
|||||||
v9.CheckSourceFailure(lines, 'E1059: No white space allowed before colon: :number in range(10)', 2)
|
v9.CheckSourceFailure(lines, 'E1059: No white space allowed before colon: :number in range(10)', 2)
|
||||||
enddef
|
enddef
|
||||||
|
|
||||||
|
" This test used to cause an use-after-free memory access
|
||||||
|
def Test_for_empty_line_after_lambda()
|
||||||
|
var lines =<< trim END
|
||||||
|
vim9script
|
||||||
|
echomsg range(0, 2)->map((_, v) => {
|
||||||
|
return 1
|
||||||
|
})
|
||||||
|
|
||||||
|
assert_equal('[1, 1, 1]', v:statusmsg)
|
||||||
|
END
|
||||||
|
v9.CheckSourceSuccess(lines)
|
||||||
|
|
||||||
|
lines =<< trim END
|
||||||
|
vim9script
|
||||||
|
echomsg range(0, 1)->map((_, v) => {
|
||||||
|
return 1
|
||||||
|
}) range(0, 1)->map((_, v) => {
|
||||||
|
return 2
|
||||||
|
}) # comment
|
||||||
|
|
||||||
|
assert_equal('[1, 1] [2, 2]', v:statusmsg)
|
||||||
|
END
|
||||||
|
v9.CheckSourceSuccess(lines)
|
||||||
|
enddef
|
||||||
|
|
||||||
" Keep this last, it messes up highlighting.
|
" Keep this last, it messes up highlighting.
|
||||||
def Test_substitute_cmd()
|
def Test_substitute_cmd()
|
||||||
new
|
new
|
||||||
|
|||||||
@@ -704,6 +704,8 @@ static char *(features[]) =
|
|||||||
|
|
||||||
static int included_patches[] =
|
static int included_patches[] =
|
||||||
{ /* Add new patch number below this line */
|
{ /* Add new patch number below this line */
|
||||||
|
/**/
|
||||||
|
17,
|
||||||
/**/
|
/**/
|
||||||
16,
|
16,
|
||||||
/**/
|
/**/
|
||||||
|
|||||||
Reference in New Issue
Block a user