thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 9.0.2158: [security]: use-after-free in check_argument_type

Browse Source 
Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: #13652

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-12-11 17:53:25 +01:00
parent e4a450a87b
commit 0f28791b21
6 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/vim9type.c
View File

@@ -122,6 +122,19 @@ clear_type_list(garray_T *gap)
ga_clear(gap);
}
void
clear_func_type_list(garray_T *gap, type_T **func_type)
{
while (gap->ga_len > 0)
{
// func_type pointing to the uf_type_list, so reset pointer
if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len])
*func_type = &t_func_any;
vim_free(((type_T **)gap->ga_data)[gap->ga_len]);
}
ga_clear(gap);
}
/*
* Take a type that is using entries in a growarray and turn it into a type
* with allocated entries.