patch 9.0.2117: [security] use-after-free in qf_free_items

Problem:  [security] use-after-free in qf_free_items
Solution: only access qfpnext, if it hasn't been freed

Coverity discovered a possible use-after-free in qf_free_items. When
freeing the qfline items, we may access freed memory, when qfp ==
qfpnext.

So only access qfpnext, when it hasn't been freed.

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/quickfix.c b/src/quickfix.c
index 207331f9b5ae543bb78effbc80a17b4256e8b7c6..dd681ca239274697d041ede34ce6bd0a7c2cd70b 100644 (file)
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -4000,8 +4000,9 @@ qf_free_items(qf_list_T *qfl)
                // to avoid crashing when it's wrong.
                // TODO: Avoid qf_count being incorrect.
                qfl->qf_count = 1;
+           else
+               qfl->qf_start = qfpnext;
        }
-       qfl->qf_start = qfpnext;
        --qfl->qf_count;
     }
 

diff --git a/src/version.c b/src/version.c
index ed113381277bc5e1b2993515e75531d501ef5e9c..6994b3402cb487ba07eae5cef3aa958180cc3861 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2117,
 /**/
     2116,
 /**/