patch 9.0.1492: using uninitialized memory when argument is missing

Problem: Using uninitialized memory when argument is missing. Solution: Check there are sufficient arguments before the base. (closes #12302)
2025-10-02 05:04:20 -04:00 · 2023-04-27 16:24:07 +01:00
parent fbf2071ac9
commit b7f2270bab
5 changed files with 23 additions and 1 deletions
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -3134,6 +3134,9 @@ call_internal_method(

    if (global_functions[fi].f_argtype == FEARG_2)
    {
+	if (argcount < 1)
+	    return FCERR_TOOFEW;
+
 	// base value goes second
 	argv[0] = argvars[0];
 	argv[1] = *basetv;
@@ -3142,6 +3145,9 @@ call_internal_method(
    }
    else if (global_functions[fi].f_argtype == FEARG_3)
    {
+	if (argcount < 2)
+	    return FCERR_TOOFEW;
+
 	// base value goes third
 	argv[0] = argvars[0];
 	argv[1] = argvars[1];
@@ -3151,6 +3157,9 @@ call_internal_method(
    }
    else if (global_functions[fi].f_argtype == FEARG_4)
    {
+	if (argcount < 3)
+	    return FCERR_TOOFEW;
+
 	// base value goes fourth
 	argv[0] = argvars[0];
 	argv[1] = argvars[1];
--- a/src/testdir/test_expr.vim
+++ b/src/testdir/test_expr.vim
@@ -458,6 +458,9 @@ func Test_printf_misc()
  call v9.CheckLegacyAndVim9Success(lines)

  call v9.CheckLegacyAndVim9Failure(["call printf('123', 3)"], "E767:")
+
+  " this was using uninitialized memory
+  call v9.CheckLegacyAndVim9Failure(["eval ''->printf()"], "E119:")
 endfunc

 func Test_printf_float()
--- a/src/testdir/test_listener.vim
+++ b/src/testdir/test_listener.vim
@@ -212,6 +212,8 @@ func Test_listener_args()
  call assert_fails('call listener_add([])', 'E921:')
  call assert_fails('call listener_add("s:StoreListArgs", [])', 'E730:')
  call assert_fails('call listener_flush([])', 'E730:')
+
+  call assert_fails('eval ""->listener_add()', 'E119:')
 endfunc

 func s:StoreBufList(buf, start, end, added, list)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1492,
 /**/
    1491,
 /**/
--- a/src/vim9instr.c
+++ b/src/vim9instr.c
@@ -1626,8 +1626,14 @@ check_internal_func_args(

    if (method_call && argoff > 1)
    {
-	isn_T	*isn = generate_instr(cctx, ISN_SHUFFLE);
+	if (argcount < argoff)
+	{
+	    semsg(_(e_not_enough_arguments_for_function_str),
+						 internal_func_name(func_idx));
+	    return FAIL;
+	}

+	isn_T	*isn = generate_instr(cctx, ISN_SHUFFLE);
 	if (isn  == NULL)
 	    return FAIL;
 	isn->isn_arg.shuffle.shfl_item = argcount;