aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-24 03:44:06 -04:00
Code Activity

patch 9.0.2000: Vim9: use-after-free in deep call stack

Browse Source 
Problem:  Vim9: use-after-free in deep call stack
Solution: Get the objct pointer from execution stack

closes: #13296

Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
This commit is contained in:
Yegappan Lakshmanan
2023-10-07 22:03:18 +02:00
committed by Christian Brabandt
parent 2a281ccca0
commit 1087b8c29a
3 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/vim9execute.c
View File

@@ -559,6 +559,12 @@ call_dfunc(
arg_to_add + STACK_FRAME_SIZE + varcount))
return FAIL;
// The object pointer is in the execution typval stack. The GA_GROW call
// above may have reallocated the execution typval stack. So the object
// pointer may not be valid anymore. Get the object pointer again from the
// execution stack.
obj = STACK_TV_BOT(0) - argcount - vararg_count - 1;
// If depth of calling is getting too high, don't execute the function.
if (funcdepth_increment() == FAIL)
return FAIL;