diff options
| author | Christian Brabandt <cb@256bit.org> | 2023-11-14 19:31:34 +0100 |
|---|---|---|
| committer | Christian Brabandt <cb@256bit.org> | 2023-11-16 22:04:00 +0100 |
| commit | 25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a (patch) | |
| tree | 9b56e90635d6bc6b124bda1d179348bcd6a2cf8d /src | |
| parent | 67abf1592c83c910c7815478f67e0a8989d51417 (diff) | |
patch 9.0.2106: [security]: Use-after-free in win_close()v9.0.2106
Problem: [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it
If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.
Add a test to trigger ASAN in CI
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/testdir/crash/poc1 | bin | 0 -> 3264 bytes | |||
| -rw-r--r-- | src/testdir/test_crash.vim | 33 | ||||
| -rw-r--r-- | src/version.c | 2 | ||||
| -rw-r--r-- | src/window.c | 2 |
4 files changed, 37 insertions, 0 deletions
diff --git a/src/testdir/crash/poc1 b/src/testdir/crash/poc1 Binary files differnew file mode 100644 index 0000000000..ec223f16b8 --- /dev/null +++ b/src/testdir/crash/poc1 diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim index 5cd07e2a3f..b093b053c5 100644 --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -110,6 +110,39 @@ func Test_crash1() call delete('X_crash1_result.txt') endfunc +func Test_crash1_2() + CheckNotBSD + CheckExecutable dash + + " The following used to crash Vim + let opts = #{cmd: 'sh'} + let vim = GetVimProg() + let result = 'X_crash1_1_result.txt' + + let buf = RunVimInTerminal('sh', opts) + + let file = 'crash/poc1' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args .. + \ ' && echo "crash 1: [OK]" > '.. result .. "\<cr>") + call TermWait(buf, 150) + + " clean up + exe buf .. "bw!" + + exe "sp " .. result + + let expected = [ + \ 'crash 1: [OK]', + \ ] + + call assert_equal(expected, getline(1, '$')) + bw! + + call delete(result) +endfunc + func Test_crash2() " The following used to crash Vim let opts = #{wait_for_ruler: 0, rows: 20} diff --git a/src/version.c b/src/version.c index f9d1593c0d..ec021985f2 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2106, +/**/ 2105, /**/ 2104, diff --git a/src/window.c b/src/window.c index f77ede330d..55ce31c886 100644 --- a/src/window.c +++ b/src/window.c @@ -2682,6 +2682,8 @@ win_close(win_T *win, int free_buf) reset_VIsual_and_resel(); // stop Visual mode other_buffer = TRUE; + if (!win_valid(win)) + return FAIL; win->w_closing = TRUE; apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf); if (!win_valid(win)) |