git.ipfire.org Git - thirdparty/vim.git/commit

author	Christian Brabandt <cb@256bit.org>
	Mon, 4 Dec 2023 21:52:23 +0000 (22:52 +0100)
committer	Christian Brabandt <cb@256bit.org>
	Mon, 4 Dec 2023 21:54:43 +0000 (22:54 +0100)
commit	5dd41d4b6370b7b7d09d691f9252b3899c66102a
tree	99bcf9a51f84ef73d003206c2d2960b51bd133b3	tree
parent	1e5d66408ef85c750a5af03bbf5cc19b5de7a6bc	commit \| diff

patch 9.0.2149: [security]: use-after-free in exec_instructions()

Problem: [security]: use-after-free in exec_instructions()
Solution: get tv pointer again

[security]: use-after-free in exec_instructions()

exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.

closes: #13621

Signed-off-by: Christian Brabandt <cb@256bit.org>

src/testdir/crash/poc_uaf_exec_instructions	[new file with mode: 0644]	blob
src/testdir/test_crash.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history
src/vim9execute.c		diff \| blob \| blame \| history