git.ipfire.org Git - thirdparty/vim.git/commit

author	mityu <mityu.mail@gmail.com>
	Sat, 25 Nov 2023 14:41:20 +0000 (15:41 +0100)
committer	Christian Brabandt <cb@256bit.org>
	Sat, 25 Nov 2023 14:41:20 +0000 (15:41 +0100)
commit	a555069b7d790abedc60edc505bd35bda257949d
tree	1514af3bf9ce5f9470b9b731f45ef2e8f6dd759f	tree
parent	8c14e79737c5df5cd111f60e7bda46cb0b9d89f7	commit \| diff

patch 9.0.2129: [security]: use-after-free in call_dfunc()

Problem: [security]: use-after-free in call_dfunc()
Solution: Refresh dfunc pointer

closes: #13571

This Commit fixes a SEGV caused by a use-after-free bug in call_dfunc().
When calling check_ufunc_arg_types() from the call_dfunc() it may cause
def functions to be re-compiled and if there are too many def functions,
the def_functions array will be re-allocated. Which means, that the
dfunc pointer in call_dfunc() now starts pointing to freed memory.

So we need to reset the dfunc pointer after calling
check_ufunc_arg_types().

Let's also add a test, to ensure we do not regress.

Signed-off-by: mityu <mityu.mail@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/testdir/test_vim9_class.vim		diff \| blob \| blame \| history
src/version.c		diff \| blob \| blame \| history
src/vim9execute.c		diff \| blob \| blame \| history