diff options
| author | Yegappan Lakshmanan <yegappan@yahoo.com> | 2023-10-07 22:03:18 +0200 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-10-07 22:03:18 +0200 |
| commit | 1087b8c29ab521106c5b6cc85d5b38244f0d9c1d (patch) | |
| tree | 115f15c629ccea8411ef839b4c184502bc2cf8ca | |
| parent | 2a281ccca017fb5e8ffd20a86aa390431224a2fd (diff) | |
patch 9.0.2000: Vim9: use-after-free in deep call stackv9.0.2000
Problem: Vim9: use-after-free in deep call stack
Solution: Get the objct pointer from execution stack
closes: #13296
Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
| -rw-r--r-- | src/testdir/test_vim9_class.vim | 40 | ||||
| -rw-r--r-- | src/version.c | 2 | ||||
| -rw-r--r-- | src/vim9execute.c | 6 |
3 files changed, 48 insertions, 0 deletions
diff --git a/src/testdir/test_vim9_class.vim b/src/testdir/test_vim9_class.vim index 0c8fd7057a..0e70c9f6fe 100644 --- a/src/testdir/test_vim9_class.vim +++ b/src/testdir/test_vim9_class.vim @@ -6989,4 +6989,44 @@ func Test_object_variable_complex_type_check() call v9.CheckSourceSuccess(lines) endfunc +" Test for recursively calling an object method. This used to cause an +" use-after-free error. +def Test_recursive_object_method_call() + var lines =<< trim END + vim9script + class A + this.val: number = 0 + def Foo(): number + if this.val >= 90 + return this.val + endif + this.val += 1 + return this.Foo() + enddef + endclass + var a = A.new() + assert_equal(90, a.Foo()) + END + v9.CheckSourceSuccess(lines) +enddef + +" Test for recursively calling a class method. +def Test_recursive_class_method_call() + var lines =<< trim END + vim9script + class A + static val: number = 0 + static def Foo(): number + if val >= 90 + return val + endif + val += 1 + return Foo() + enddef + endclass + assert_equal(90, A.Foo()) + END + v9.CheckSourceSuccess(lines) +enddef + " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker diff --git a/src/version.c b/src/version.c index 8dea204b2b..5d1c1c9441 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2000, +/**/ 1999, /**/ 1998, diff --git a/src/vim9execute.c b/src/vim9execute.c index f237132a89..826282241b 100644 --- a/src/vim9execute.c +++ b/src/vim9execute.c @@ -559,6 +559,12 @@ call_dfunc( arg_to_add + STACK_FRAME_SIZE + varcount)) return FAIL; + // The object pointer is in the execution typval stack. The GA_GROW call + // above may have reallocated the execution typval stack. So the object + // pointer may not be valid anymore. Get the object pointer again from the + // execution stack. + obj = STACK_TV_BOT(0) - argcount - vararg_count - 1; + // If depth of calling is getting too high, don't execute the function. if (funcdepth_increment() == FAIL) return FAIL; |