diff options
author | Christian Brabandt <cb@256bit.org> | 2023-09-03 21:43:46 +0200 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-09-03 21:43:46 +0200 |
commit | 6e60cf444a8839ca1694319bf9a82e7b097e5c4d (patch) | |
tree | 0ae96b7f0834c9e82cd174dda7683eb209dd46e3 | |
parent | ee9166eb3b41846661a39b662dc7ebe8b5e15139 (diff) |
patch 9.0.1859: heap-use-after-free in bt_normal()v9.0.1859
Problem: heap-use-after-free in bt_normal()
Solution: check that buffer is still valid
Signed-off-by: Christian Brabandt <cb@256bit.org>
-rw-r--r-- | src/buffer.c | 2 | ||||
-rw-r--r-- | src/testdir/crash/bt_quickfix1_poc | 5 | ||||
-rw-r--r-- | src/testdir/test_crash.vim | 10 | ||||
-rw-r--r-- | src/version.c | 2 |
4 files changed, 18 insertions, 1 deletions
diff --git a/src/buffer.c b/src/buffer.c index 14eac92b97..93f9245f27 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -5777,7 +5777,7 @@ bt_normal(buf_T *buf) bt_quickfix(buf_T *buf UNUSED) { #ifdef FEAT_QUICKFIX - return buf != NULL && buf->b_p_bt[0] == 'q'; + return buf != NULL && buf_valid(buf) && buf->b_p_bt[0] == 'q'; #else return FALSE; #endif diff --git a/src/testdir/crash/bt_quickfix1_poc b/src/testdir/crash/bt_quickfix1_poc new file mode 100644 index 0000000000..97993fde52 --- /dev/null +++ b/src/testdir/crash/bt_quickfix1_poc @@ -0,0 +1,5 @@ +au BufReadPre * exe 'sn' .. expand("<abuf>") +call writefile([''],'X') +sil! e X +call writefile([''],'X') +sil! e X diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 27bf7b55d4..8deb79702b 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -49,6 +49,15 @@ func Test_crash1() call TermWait(buf, 100) + let file = 'crash/bt_quickfix1_poc' + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>") + " clean up + call delete('X') + " This test takes a bit longer + call TermWait(buf, 200) + " clean up exe buf .. "bw!" @@ -60,6 +69,7 @@ func Test_crash1() \ 'crash 3: [OK]', \ 'crash 4: [OK]', \ 'crash 5: [OK]', + \ 'crash 6: [OK]', \ ] call assert_equal(expected, getline(1, '$')) diff --git a/src/version.c b/src/version.c index b604b57f8b..f2ff8d6b70 100644 --- a/src/version.c +++ b/src/version.c @@ -700,6 +700,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1859, +/**/ 1858, /**/ 1857, |