diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-11-28 22:03:48 +0100 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-12-01 18:58:50 +0100 |
| commit | eec0c2b3a4cfab93dd8d4adaa60638d47a2bbc8a (patch) | |
| tree | 2f60c6c3095b52818325cbd6c92dcb293f8c8727 /src/testdir/crash | |
| parent | 9cc95aa0d8f52bb0c906ca13297ce3a2ba615f2b (diff) | |
patch 9.0.2140: [security]: use-after-free in win-enterv9.0.2140
Problem: [security]: use-after-free in win-enter
Solution: validate window pointer before calling win_enter()
win_goto() may stop visual mode, if it is active. However, this may in
turn trigger the ModeChanged autocommand, which could potentially free
the wp pointer which was valid before now became stale and points to now
freed memory.
So before calling win_enter(), let's verify one more time, that the
wp pointer still points to a valid window structure.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir/crash')
| -rw-r--r-- | src/testdir/crash/poc_win_enter_ext | bin | 0 -> 1958 bytes |
1 files changed, 0 insertions, 0 deletions
diff --git a/src/testdir/crash/poc_win_enter_ext b/src/testdir/crash/poc_win_enter_ext Binary files differnew file mode 100644 index 0000000000..73f53b575b --- /dev/null +++ b/src/testdir/crash/poc_win_enter_ext |