aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-25 03:54:15 -04:00
Code Activity

patch 9.0.2158: [security]: use-after-free in check_argument_type

Browse Source 
Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: #13652

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-12-11 17:53:25 +01:00
parent e4a450a87b
commit 0f28791b21
6 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/userfunc.c
View File

@@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp)
VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_block_ids);
VIM_CLEAR(fp->uf_va_name);
clear_type_list(&fp->uf_type_list);
clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
// Increment the refcount of this function to avoid it being freed
// recursively when the partial is freed.
@@ -5435,7 +5435,7 @@ errret_2:
{
VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_va_name);
clear_type_list(&fp->uf_type_list);
clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
}
if (free_fp)
VIM_CLEAR(fp);