diff options
author | Yegappan Lakshmanan <yegappan@yahoo.com> | 2024-01-12 17:21:55 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2024-01-12 17:27:02 +0100 |
commit | 28d71b566a29ceea3a2d05bcee9264ed5d630d42 (patch) | |
tree | 33c4636d5b8adf94766f6be78042ef463cbd3c31 /src/eval.c | |
parent | 71d0ba07a33a750e9834cd42b7acc619043dedb1 (diff) |
patch 9.1.0017: [security]: use-after-free in eval1_emsg()v9.1.0017
Problem: use-after-free in eval1_emsg() when an empty
line follows a lambda (by @yu3s)
Solution: only set evalarg->eval_using_cmdline = FALSE when
the *arg pointer is not null
fixes: #13833
closes: #13841
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/eval.c')
-rw-r--r-- | src/eval.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/eval.c b/src/eval.c index 815d13d42a..bf053dfb69 100644 --- a/src/eval.c +++ b/src/eval.c @@ -2699,6 +2699,9 @@ eval_next_non_blank(char_u *arg, evalarg_T *evalarg, int *getnext) /* * To be called after eval_next_non_blank() sets "getnext" to TRUE. * Only called for Vim9 script. + * + * If "arg" is not NULL, then the caller should assign the return value to + * "arg". */ char_u * eval_next_line(char_u *arg, evalarg_T *evalarg) @@ -2747,8 +2750,12 @@ eval_next_line(char_u *arg, evalarg_T *evalarg) } // Advanced to the next line, "arg" no longer points into the previous - // line. - evalarg->eval_using_cmdline = FALSE; + // line. The caller assigns the return value to "arg". + // If "arg" is NULL, then the return value is discarded. In that case, + // "arg" still points to the previous line. So don't reset + // "eval_using_cmdline". + if (arg != NULL) + evalarg->eval_using_cmdline = FALSE; return skipwhite(line); } |