From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 1 Aug 2024 20:16:51 +0200
Subject: [PATCH] patch 9.1.0647: [security] use-after-free in
 tagstack_clear_entry

Problem:  [security] use-after-free in tagstack_clear_entry
          (Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
          entries, let's use tagstack_clear_entry(), which will
          also free the stack, but using the VIM_CLEAR macro,
          which prevents a use-after-free by setting those pointers
          to NULL

This addresses CVE-2024-41957

Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/testdir/crash/double_free | Bin 0 -> 561 bytes
 src/testdir/test_crash.vim    |   6 ++++++
 src/version.c                 |   2 ++
 src/window.c                  |   5 +----
 4 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 src/testdir/crash/double_free

diff --git a/src/testdir/crash/double_free b/src/testdir/crash/double_free
new file mode 100644
index 0000000000000000000000000000000000000000..895c4a04b6ab1c2eabc80a486e52cabd7a99a5ea
GIT binary patch
literal 561
zcmY+BL2DC16vtm$FL@r)OM?`VNi5idX;=tFTegZ#(3FA_g$iA9XET#zWiz{-+3kcR
z+8h)-c<|7hpT_Uv_ZVMH6#QM@@PBXKoA)1nT!N}!;A@rCk*nK{qi~J@P`Y><JR?x0
zAV|1&|FSA+^(FFrgz2ezF`;5iu43ohexuRo5_JaC>8t4q{~#Di*6H;w(jtG~j{r!x
z#3aqYpoj+pgIo_KYyg;mrs*+t$*`Q-X0v(1u%E^Ti}j5W!>AYtFB0B)5P^C!=IhEP
z!)mp9s)zTK=uG0=i|@l@%s<Sw#dpkiFtYeivUf;Wt9iDdzH+a;E5nfHv39U$u+p`-
zy`X8qU9<7m3w*P+TyH$oGUGzb%*<mqBQ2Svvu4cyALoFdE!Q~b$sLclJbYQ^$ED35
zlxbTnLw|+^nXM$Le-y@;3h4_-ZT)Jk(9SOc!S(YbHsXk0xOUdTE%H10Np3G$lvvxI
zeCz1RRo+w5qD5FNyOP$cgZc_*xNoxLTA;~f?ZGGHMU9!I<@34hvoFKX(ax4FHgB9$
b@#Ju~e()5!l?r~Wt$4JK6w)H|eN?{zo!qIG

literal 0
HcmV?d00001

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index fd786e5d54..29061aa423 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -190,6 +190,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/double_free'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 50)
+
   " clean up
   exe buf .. "bw!"
   bw!
diff --git a/src/version.c b/src/version.c
index 4dc9948d98..0e49ebd7a0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    647,
 /**/
     646,
 /**/
diff --git a/src/window.c b/src/window.c
index 7ca29d46a5..70c72bca75 100644
--- a/src/window.c
+++ b/src/window.c
@@ -5837,10 +5837,7 @@ win_free(
     win_free_lsize(wp);
 
     for (i = 0; i < wp->w_tagstacklen; ++i)
-    {
-	vim_free(wp->w_tagstack[i].tagname);
-	vim_free(wp->w_tagstack[i].user_data);
-    }
+	tagstack_clear_entry(&wp->w_tagstack[i]);
     vim_free(wp->w_localdir);
     vim_free(wp->w_prevdir);