aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-09-24 03:44:06 -04:00
Code Activity

patch 9.0.2000: Vim9: use-after-free in deep call stack

Browse Source 
Problem:  Vim9: use-after-free in deep call stack
Solution: Get the objct pointer from execution stack

closes: #13296

Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
This commit is contained in:
Yegappan Lakshmanan
2023-10-07 22:03:18 +02:00
committed by Christian Brabandt
parent 2a281ccca0
commit 1087b8c29a
3 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/testdir/test_vim9_class.vim
View File

@@ -6989,4 +6989,44 @@ func Test_object_variable_complex_type_check()
call v9.CheckSourceSuccess(lines) call v9.CheckSourceSuccess(lines)
endfunc endfunc
" Test for recursively calling an object method. This used to cause an
" use-after-free error.
def Test_recursive_object_method_call()
var lines =<< trim END
vim9script
class A
this.val: number = 0
def Foo(): number
if this.val >= 90
return this.val
endif
this.val += 1
return this.Foo()
enddef
endclass
var a = A.new()
assert_equal(90, a.Foo())
END
v9.CheckSourceSuccess(lines)
enddef
" Test for recursively calling a class method.
def Test_recursive_class_method_call()
var lines =<< trim END
vim9script
class A
static val: number = 0
static def Foo(): number
if val >= 90
return val
endif
val += 1
return Foo()
enddef
endclass
assert_equal(90, A.Foo())
END
v9.CheckSourceSuccess(lines)
enddef
" vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
2000,
/**/ /**/
1999, 1999,
/**/ /**/

6
src/vim9execute.c
View File

@@ -559,6 +559,12 @@ call_dfunc(
arg_to_add + STACK_FRAME_SIZE + varcount)) arg_to_add + STACK_FRAME_SIZE + varcount))
return FAIL; return FAIL;
// The object pointer is in the execution typval stack. The GA_GROW call
// above may have reallocated the execution typval stack. So the object
// pointer may not be valid anymore. Get the object pointer again from the
// execution stack.
obj = STACK_TV_BOT(0) - argcount - vararg_count - 1;
// If depth of calling is getting too high, don't execute the function. // If depth of calling is getting too high, don't execute the function.
if (funcdepth_increment() == FAIL) if (funcdepth_increment() == FAIL)
return FAIL; return FAIL;