vim-patch:9.0.2117: [security] use-after-free in qf_free_items (#26148)

Problem: [security] use-after-free in qf_free_items Solution: only access qfpnext, if it hasn't been freed Coverity discovered a possible use-after-free in qf_free_items. When freeing the qfline items, we may access freed memory, when qfp == qfpnext. So only access qfpnext, when it hasn't been freed. https://github.com/vim/vim/commit/567cae2630a51efddc07eacff3b38a295e1f5671 Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-11-22 11:07:00 +0800
committer: GitHub <noreply@github.com> 2023-11-22 11:07:00 +0800
commit: 8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02 (patch)
tree: 84e6d26913d2324db22aec37a7a8c078fbf65969 /src/nvim/quickfix.c
parent: 059dc3f4a6b94cd028c5041d682982e6eed9bc87 (diff)
download: rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.tar.gz
rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.tar.bz2
rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c
index 57d3f2fd41..68217eefe7 100644
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -3411,9 +3411,10 @@ static void qf_free_items(qf_list_T *qfl)
         // to avoid crashing when it's wrong.
         // TODO(vim): Avoid qf_count being incorrect.
         qfl->qf_count = 1;
+      } else {
+        qfl->qf_start = qfpnext;
       }
     }
-    qfl->qf_start = qfpnext;
     qfl->qf_count--;
   }
author	zeertzjq <zeertzjq@outlook.com>	2023-11-22 11:07:00 +0800
committer	GitHub <noreply@github.com>	2023-11-22 11:07:00 +0800
commit	8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02 (patch)
tree	84e6d26913d2324db22aec37a7a8c078fbf65969 /src/nvim/quickfix.c
parent	059dc3f4a6b94cd028c5041d682982e6eed9bc87 (diff)
download	rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.tar.gz rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.tar.bz2 rneovim-8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02.zip