From: Foxe Chen Date: Mon, 15 Dec 2025 18:58:54 +0000 (+0100) Subject: patch 9.1.1982: Use after free with redraw_listener_add() X-Git-Tag: v9.1.1982^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb5995a8764418359b979093f3af06f03ac7de6e;p=thirdparty%2Fvim.git patch 9.1.1982: Use after free with redraw_listener_add() Problem: Use after free with redraw_listener_add() (after: v9.1.1976) Solution: Copy Callbacks into listener struct (Foxe Chen) closes: #18926 Signed-off-by: Foxe Chen Signed-off-by: Christian Brabandt --- diff --git a/src/drawscreen.c b/src/drawscreen.c index 6e37ccbabf..ba6901d08b 100644 --- a/src/drawscreen.c +++ b/src/drawscreen.c @@ -3479,7 +3479,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv) vim_free(rln); return; } - set_callback(&rln->rl_callbacks.on_start, &cb); + copy_callback(&rln->rl_callbacks.on_start, &cb); free_callback(&cb); clear_tv(&tv); got_one = true; @@ -3496,7 +3496,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv) vim_free(rln); return; } - set_callback(&rln->rl_callbacks.on_end, &cb); + copy_callback(&rln->rl_callbacks.on_end, &cb); free_callback(&cb); clear_tv(&tv); got_one = true; diff --git a/src/testdir/test_listener.vim b/src/testdir/test_listener.vim index 4b073af07f..d3475cbc45 100644 --- a/src/testdir/test_listener.vim +++ b/src/testdir/test_listener.vim @@ -774,4 +774,12 @@ func Test_redraw_remove_in_callback() call StopVimInTerminal(buf) endfunc +func s:OnRedraw() +endfunc + +" Test if partial is correctly ref'ed and doesn't cause use afte free error +func Test_redraw_listener_partial() + call redraw_listener_add(#{on_start: function("s:OnRedraw", [1])}) +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index 92005c7169..a3e2f5127d 100644 --- a/src/version.c +++ b/src/version.c @@ -734,6 +734,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1982, /**/ 1981, /**/