patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'

Problem:  potential use-after free when there is an error in 'tabpanel'
          option (@char101, after v9.1.1391)
Solution: check if p_tpl has been set to null before accessing it again.

While at it slightly change starts_with_percent_and_bang() and use the
existing opt_name and opt_scope variables.

fixes: #17364
closes: #17388

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/tabpanel.c b/src/tabpanel.c
index bb7a8742b2ca335033efce5f338d7cff6b646aa0..599e434cbecb233b265ce02a663acd51855525f2 100644 (file)
--- a/src/tabpanel.c
+++ b/src/tabpanel.c
@@ -530,8 +530,8 @@ starts_with_percent_and_bang(tabpanel_T *pargs)
        if (did_emsg > did_emsg_before)
        {
            usefmt = NULL;
-           set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"",
-                   OPT_FREE | OPT_GLOBAL, SID_ERROR);
+           set_string_option_direct(opt_name, -1, (char_u *)"",
+                   OPT_FREE | opt_scope, SID_ERROR);
        }
     }
 #endif
@@ -641,6 +641,12 @@ do_by_tplmode(
                args.prow = &row;
                args.pcol = &col;
                draw_tabpanel_userdefined(tplmode, &args);
+               // p_tpl could have been freed in build_stl_str_hl()
+               if (p_tpl == NULL || *p_tpl == NUL)
+               {
+                   usefmt = NULL;
+                   break;
+               }
 
                p += i;
                i = 0;

diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index 46ebe3b62333903c349ef8bd78cc55b51b89e251..e0a6a8c61a60c87e2546603a619ee6dd54b5f9b6 100644 (file)
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -529,6 +529,14 @@ function Test_tabpanel_error()
   catch /^Vim\%((\a\+)\)\=:E117:/
   endtry
   call assert_true(empty(&tabpanel))
+
+  try
+    set tabpanel=%{my#util#TabPanelHighlight}%t
+    redraw!
+  catch /^Vim\%((\a\+)\)\=:E121:/
+  endtry
+  call assert_true(empty(&tabpanel))
+
   set tabpanel&vim
   set showtabpanel&vim
 endfunc

diff --git a/src/version.c b/src/version.c
index 5366f3f2eecbd9f8c4f6b1848318ebfe807f0127..a788db1af846c971f0552a3c942cc0dfca5ff0ee 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1415,
 /**/
     1414,
 /**/