patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose
Commit: https://github.com/vim/vim/commit/2101230f4013860dbafcb0cab3f4e6bc92fb6f35 Author: zeertzjq <zeert...@outlook.com> Date: Sun Feb 2 08:55:57 2025 +0100 patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose Problem: heap-use-after-free and stack-use-after-scope with :14verbose when using :return and :try (after 9.1.1063). Solution: Move back the vim_free(tofree) and the scope of numbuf[]. (zeertzjq) closes: #16563 Signed-off-by: zeertzjq <zeert...@outlook.com> Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/testdir/test_user_func.vim b/src/testdir/test_user_func.vim index 99ac90662..bae98ed1f 100644 --- a/src/testdir/test_user_func.vim +++ b/src/testdir/test_user_func.vim @@ -987,4 +987,36 @@ func Test_func_curly_brace_invalid_name() delfunc Fail endfunc +func Test_func_return_in_try_verbose() + func TryReturnList() + try + return [1, 2, 3] + endtry + endfunc + func TryReturnNumber() + try + return 123 + endtry + endfunc + func TryReturnOverlongString() + try + return repeat('a', 9999) + endtry + endfunc + + " This should not cause heap-use-after-free + call assert_match(' :return \[1, 2, 3\] made pending ', + \ execute('14verbose call TryReturnList()')) + " This should not cause stack-use-after-scope + call assert_match(' :return 123 made pending ', + \ execute('14verbose call TryReturnNumber()')) + " An overlong string is truncated + call assert_match(' :return a\{100,}\.\.\.', + \ execute('14verbose call TryReturnOverlongString()')) + + delfunc TryReturnList + delfunc TryReturnNumber + delfunc TryReturnOverlongString +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/userfunc.c b/src/userfunc.c index 81f1f284e..0cdfa3879 100644 --- a/src/userfunc.c +++ b/src/userfunc.c @@ -682,12 +682,12 @@ make_ufunc_name_readable(char_u *name, char_u *buf, size_t bufsize) return buf; } -/* - * Get a name for a lambda. Returned in static memory. - */ static char_u lambda_name[8 + NUMBUFLEN]; static size_t lambda_namelen = 0; +/* + * Get a name for a lambda. Returned in static memory. + */ char_u * get_lambda_name(void) { @@ -6820,17 +6820,13 @@ discard_pending_return(void *rettv) get_return_cmd(void *rettv) { char_u *s = NULL; + char_u *tofree = NULL; + char_u numbuf[NUMBUFLEN]; size_t slen = 0; size_t IObufflen; if (rettv != NULL) - { - char_u *tofree = NULL; - char_u numbuf[NUMBUFLEN]; - s = echo_string((typval_T *)rettv, &tofree, numbuf, 0); - vim_free(tofree); - } if (s == NULL) s = (char_u *)""; else @@ -6839,11 +6835,12 @@ get_return_cmd(void *rettv) STRCPY(IObuff, ":return "); STRNCPY(IObuff + 8, s, IOSIZE - 8); IObufflen = 8 + slen; - if (slen + 8 >= IOSIZE) + if (IObufflen >= IOSIZE) { STRCPY(IObuff + IOSIZE - 4, "..."); - IObufflen += 3; + IObufflen = IOSIZE - 1; } + vim_free(tofree); return vim_strnsave(IObuff, IObufflen); } diff --git a/src/version.c b/src/version.c index 6f59af4e1..9519d6905 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1066, /**/ 1065, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1teUtj-000OOM-HG%40256bit.org.
