patch 9.1.1400: [security]: use-after-free when evaluating tuple fails

Problem:  [security]: use-after-free when evaluating tuple fails
Solution: return early in case of an error (Yegappan Lakshmanan)

closes: #17351

Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/eval.c b/src/eval.c
index 530cc95fd339cd2ad3520f0d043ab0123848d85e..bbfe566fa3f20aa60a36becfc4967e50757d9fe2 100644 (file)
--- a/src/eval.c
+++ b/src/eval.c
@@ -5000,6 +5000,8 @@ eval9_nested_expr(
        else
        {
            ret = eval1(arg, rettv, evalarg);   // recursive!
+           if (ret != OK)
+               return ret;
 
            *arg = skipwhite_and_linebreak(*arg, evalarg);
 

diff --git a/src/testdir/test_tuple.vim b/src/testdir/test_tuple.vim
index 875031f2caf17de2d952ba3d74eadabb530fd75c..e767851af2d1386e37c1719d3e116027695c5e78 100644 (file)
--- a/src/testdir/test_tuple.vim
+++ b/src/testdir/test_tuple.vim
@@ -1575,6 +1575,17 @@ func Test_try_finally_with_tuple_return()
   call v9.CheckSourceSuccess(lines)
 endfunc
 
+" Test for evaluating a recursive tuple that results in an error
+func Test_recursive_tuple_eval_fails()
+  let lines =<< trim END
+    call assert_fails(((((((((((((((('tag xyz', func2(pat, flags, infn)
+  END
+  call v9.CheckSourceLegacyAndVim9Failure(lines, [
+        \ 'E121: Undefined variable: pat',
+        \ 'E1001: Variable not found: pat',
+        \ 'E121: Undefined variable: pat'])
+endfunc
+
 " Test for add() with a tuple
 func Test_tuple_add()
   let lines =<< trim END

diff --git a/src/version.c b/src/version.c
index 570bfe49467c878d4ca59974a724c28661f3489d..a6c749dc0547348ff908e0df12206e8f59ecd6f2 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1400,
 /**/
     1399,
 /**/