diff options
author | mityu <mityu.mail@gmail.com> | 2023-11-25 15:41:20 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-11-25 15:41:20 +0100 |
commit | a555069b7d790abedc60edc505bd35bda257949d (patch) | |
tree | 1514af3bf9ce5f9470b9b731f45ef2e8f6dd759f /src/testdir | |
parent | 8c14e79737c5df5cd111f60e7bda46cb0b9d89f7 (diff) |
patch 9.0.2129: [security]: use-after-free in call_dfunc()v9.0.2129
Problem: [security]: use-after-free in call_dfunc()
Solution: Refresh dfunc pointer
closes: #13571
This Commit fixes a SEGV caused by a use-after-free bug in call_dfunc().
When calling check_ufunc_arg_types() from the call_dfunc() it may cause
def functions to be re-compiled and if there are too many def functions,
the def_functions array will be re-allocated. Which means, that the
dfunc pointer in call_dfunc() now starts pointing to freed memory.
So we need to reset the dfunc pointer after calling
check_ufunc_arg_types().
Let's also add a test, to ensure we do not regress.
Signed-off-by: mityu <mityu.mail@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/testdir')
-rw-r--r-- | src/testdir/test_vim9_class.vim | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/src/testdir/test_vim9_class.vim b/src/testdir/test_vim9_class.vim index 18fde09910..3da4eb00f3 100644 --- a/src/testdir/test_vim9_class.vim +++ b/src/testdir/test_vim9_class.vim @@ -8585,4 +8585,171 @@ def Test_dict_member_key_type_check() v9.CheckSourceFailure(lines, 'E1012: Type mismatch; expected number but got dict<unknown>', 3) enddef +def Test_compile_many_def_functions_in_funcref_instr() + # This used to crash Vim. This is reproducible only when run on new instance + # of Vim. + var lines =<< trim END + vim9script + + class A + def new() + this.TakeFunc(this.F00) + enddef + + def TakeFunc(F: func) + enddef + + def F00() + this.F01() + this.F02() + this.F03() + this.F04() + this.F05() + this.F06() + this.F07() + this.F08() + this.F09() + this.F10() + this.F11() + this.F12() + this.F13() + this.F14() + this.F15() + this.F16() + this.F17() + this.F18() + this.F19() + this.F20() + this.F21() + this.F22() + this.F23() + this.F24() + this.F25() + this.F26() + this.F27() + this.F28() + this.F29() + this.F30() + this.F31() + this.F32() + this.F33() + this.F34() + this.F35() + this.F36() + this.F37() + this.F38() + this.F39() + this.F40() + this.F41() + this.F42() + this.F43() + this.F44() + this.F45() + this.F46() + this.F47() + enddef + + def F01() + enddef + def F02() + enddef + def F03() + enddef + def F04() + enddef + def F05() + enddef + def F06() + enddef + def F07() + enddef + def F08() + enddef + def F09() + enddef + def F10() + enddef + def F11() + enddef + def F12() + enddef + def F13() + enddef + def F14() + enddef + def F15() + enddef + def F16() + enddef + def F17() + enddef + def F18() + enddef + def F19() + enddef + def F20() + enddef + def F21() + enddef + def F22() + enddef + def F23() + enddef + def F24() + enddef + def F25() + enddef + def F26() + enddef + def F27() + enddef + def F28() + enddef + def F29() + enddef + def F30() + enddef + def F31() + enddef + def F32() + enddef + def F33() + enddef + def F34() + enddef + def F35() + enddef + def F36() + enddef + def F37() + enddef + def F38() + enddef + def F39() + enddef + def F40() + enddef + def F41() + enddef + def F42() + enddef + def F43() + enddef + def F44() + enddef + def F45() + enddef + def F46() + enddef + def F47() + enddef + endclass + + A.new() + END + writefile(lines, 'Xscript', 'D') + g:RunVim([], [], '-u NONE -S Xscript -c qa') + assert_equal(0, v:shell_error) +enddef + " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker |