diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-08-02 06:00:02 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2024-08-02 07:14:42 +0800 |
| commit | 6af359ef4cc3c221e0e3102ab2b54cf64d7c9835 (patch) | |
| tree | 39230226ac82217aaba7b4c2b3d72a99ac63143b /src/nvim | |
| parent | a4bec30b7b2fa66a2db9d03f54e51dff58116465 (diff) | |
| download | rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.tar.gz rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.tar.bz2 rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.zip | |
vim-patch:9.1.0647: [security] use-after-free in tagstack_clear_entry
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src/nvim')
| -rw-r--r-- | src/nvim/window.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/nvim/window.c b/src/nvim/window.c index b770f0ccab..4fde200a01 100644 --- a/src/nvim/window.c +++ b/src/nvim/window.c @@ -73,6 +73,7 @@ #include "nvim/statusline.h" #include "nvim/strings.h" #include "nvim/syntax.h" +#include "nvim/tag.h" #include "nvim/terminal.h" #include "nvim/types_defs.h" #include "nvim/ui.h" @@ -5205,8 +5206,7 @@ void win_free(win_T *wp, tabpage_T *tp) xfree(wp->w_lines); for (int i = 0; i < wp->w_tagstacklen; i++) { - xfree(wp->w_tagstack[i].tagname); - xfree(wp->w_tagstack[i].user_data); + tagstack_clear_entry(&wp->w_tagstack[i]); } xfree(wp->w_localdir); |