patch 9.1.0728: [security]: heap-use-after-free in garbage collection with location...

Problem:  heap-use-after-free in garbage collection with location list
          user data.
Solution: Mark user data as in use when no other window is referencing
          the location list (zeertzjq)

fixes: neovim/neovim#30371
closes: #15683

Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/quickfix.c b/src/quickfix.c
index 414fe650d7b40b636260f05edaf163fb4f96e02b..6f7d3a58b9a904d9cd1c03ef9458ec3e6ef694e8 100644 (file)
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -8011,6 +8011,10 @@ set_ref_in_quickfix(int copyID)
            abort = mark_quickfix_ctx(win->w_llist_ref, copyID);
            if (abort)
                return abort;
+
+           abort = mark_quickfix_user_data(win->w_llist_ref, copyID);
+           if (abort)
+               return abort;
        }
     }
 

diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 47b9b4703d531db33d6728086c0a1a97fea278be..0aa82ef74956206905f90a73de3a8f7f665994b9 100644 (file)
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -4208,6 +4208,18 @@ func Test_ll_window_ctx()
   enew | only
 endfunc
 
+" Similar to the problem above, but for user data.
+func Test_ll_window_user_data()
+  call setloclist(0, [#{bufnr: bufnr(), user_data: {}}])
+  lopen
+  wincmd t
+  close
+  call test_garbagecollect_now()
+  call feedkeys("\<CR>", 'tx')
+  call test_garbagecollect_now()
+  %bwipe!
+endfunc
+
 " The following test used to crash vim
 func Test_lfile_crash()
   sp Xtest

diff --git a/src/version.c b/src/version.c
index 782f4318f058e10c1a0794695ef0366fcfdbcb7e..ba33f431d529e910a0d3eb16cbed08e4f25fd35d 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    728,
 /**/
     727,
 /**/