patch 8.2.1962: netbeans may access freed memory

Problem: Netbeans may access freed memory. Solution: Check the buffer pointer is still valid. Add a test. (Yegappan Lakshmanan, closes #7248)
2020-11-06 13:44:21 +01:00 · 2020-11-06 13:44:21 +01:00 · 32e5ec0b01
commit 32e5ec0b01
parent 85d9b03f84
3 changed files with 49 additions and 9 deletions
--- a/src/netbeans.c
+++ b/src/netbeans.c
@ -572,7 +572,7 @@ nb_free(void)
 	buf = buf_list[i];
 	vim_free(buf.displayname);
 	vim_free(buf.signmap);
-	if (buf.bufp != NULL)
+	if (buf.bufp != NULL && buf_valid(buf.bufp))
 	{
 	    buf.bufp->b_netbeans_file = FALSE;
 	    buf.bufp->b_was_netbeans_file = FALSE;
@ -1943,15 +1943,13 @@ nb_do_cmd(
 	    if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH)
 	    {
 		emsg("E532: highlighting color name too long in defineAnnoType");
-		vim_free(typeName);
+		VIM_CLEAR(typeName);
 		parse_error = TRUE;
 	    }
 	    else if (typeName != NULL && tooltip != NULL && glyphFile != NULL)
 		addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg);
 	    else
 		vim_free(typeName);
-	    // don't free typeName; it's used directly in addsigntype()
+	    vim_free(typeName);
 	    vim_free(fg);
 	    vim_free(bg);
 	    vim_free(tooltip);
@ -3240,7 +3238,7 @@ addsigntype(
 	    }
 	}
-	globalsignmap[i] = (char *)typeName;
+	globalsignmap[i] = (char *)vim_strsave(typeName);
 	globalsignmapused = i + 1;
    }
--- a/src/testdir/test_netbeans.vim
+++ b/src/testdir/test_netbeans.vim
@ -34,9 +34,9 @@ endfunc
 " Read the "Xnetbeans" file and filter out geometry messages.
 func ReadXnetbeans()
  let l = readfile("Xnetbeans")
-  " Xnetbeans may include '0:geometry=' messages on GUI environment if window
+  " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window
  " position, size, or z order are changed.  Remove these messages because
-  " will causes troubles on check.
+  " these message will break the assert for the output.
  return filter(l, 'v:val !~ "^0:geometry="')
 endfunc
@ -388,7 +388,7 @@ func Nb_basic(port)
  call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1])
  sleep 1m
  call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'},
-        \ sign_getdefined()[0])
+        \ sign_getdefined()->get(0, {}))
  let g:last += 3
  " defineAnnoType with a long color name
@ -892,4 +892,44 @@ func Test_nb_quit_with_conn()
  call s:run_server('Nb_quit_with_conn')
 endfunc
 func Nb_bwipe_buffer(port)
  call delete("Xnetbeans")
  call writefile([], "Xnetbeans")
  " Last line number in the Xnetbeans file. Used to verify the result of the
  " communication with the netbeans server
  let g:last = 0
  " Establish the connection with the netbeans server
  exe 'nbstart :localhost:' .. a:port .. ':bunny'
  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
  let l = ReadXnetbeans()
  call assert_equal(['AUTH bunny',
        \ '0:version=0 "2.5"',
        \ '0:startupDone=0'], l[-3:])
  let g:last += 3
  " Open the command buffer to communicate with the server
  split Xcmdbuf
  call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
  let l = ReadXnetbeans()
  call assert_equal('0:fileOpened=0 "Xcmdbuf" T F',
        \ substitute(l[-3], '".*/', '"', ''))
  call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"',
        \ substitute(l[-2], '".*/', '"', ''))
  call assert_equal('1:startDocumentListen!16', l[-1])
  let g:last += 3
  sleep 10m
 endfunc
 " This test used to reference a buffer after it was freed leading to an ASAN
 " error.
 func Test_nb_bwipe_buffer()
  call s:run_server('Nb_bwipe_buffer')
  %bwipe!
  sleep 100m
  nbclose
 endfunc
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@ -750,6 +750,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
    1962,
 /**/
    1961,
 /**/