diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 08:56:41 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2023-11-17 09:54:03 +0800 |
| commit | a589156b4d3ea2dc72908b8773c42ad012929c64 (patch) | |
| tree | a8bc739d8872191e67c9a1c6c325f49bfb15343b /src | |
| parent | 748198f5bf3048c06993efe4b048a6e39e4b1658 (diff) | |
| download | rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.tar.gz rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.tar.bz2 rneovim-a589156b4d3ea2dc72908b8773c42ad012929c64.zip | |
vim-patch:9.0.1857: [security] heap-use-after-free in is_qf_win()
Problem: heap-use-after-free in is_qf_win()
Solution: Check buffer is valid before accessing it
https://github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7ed
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/main.c | 2 | ||||
| -rw-r--r-- | src/nvim/quickfix.c | 6 |
2 files changed, 2 insertions, 6 deletions
diff --git a/src/nvim/main.c b/src/nvim/main.c index 818a1313d7..5c0fc758b9 100644 --- a/src/nvim/main.c +++ b/src/nvim/main.c @@ -698,7 +698,7 @@ void getout(int exitval) for (const tabpage_T *tp = first_tabpage; tp != NULL; tp = next_tp) { next_tp = tp->tp_next; FOR_ALL_WINDOWS_IN_TAB(wp, tp) { - if (wp->w_buffer == NULL) { + if (wp->w_buffer == NULL || !buf_valid(wp->w_buffer)) { // Autocmd must have close the buffer already, skip. continue; } diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c index 19b34b52b4..2ddee313a3 100644 --- a/src/nvim/quickfix.c +++ b/src/nvim/quickfix.c @@ -262,10 +262,8 @@ static const char *e_current_location_list_was_changed = #define IS_QF_LIST(qfl) ((qfl)->qfl_type == QFLT_QUICKFIX) #define IS_LL_LIST(qfl) ((qfl)->qfl_type == QFLT_LOCATION) -// // Return location list for window 'wp' // For location list window, return the referenced location list -// #define GET_LOC_LIST(wp) (IS_LL_WINDOW(wp) ? (wp)->w_llist_ref : (wp)->w_llist) // Macro to loop through all the items in a quickfix list @@ -3863,13 +3861,11 @@ static bool qf_win_pos_update(qf_info_T *qi, int old_qf_index) static int is_qf_win(const win_T *win, const qf_info_T *qi) FUNC_ATTR_NONNULL_ARG(2) FUNC_ATTR_PURE FUNC_ATTR_WARN_UNUSED_RESULT { - // // A window displaying the quickfix buffer will have the w_llist_ref field // set to NULL. // A window displaying a location list buffer will have the w_llist_ref // pointing to the location list. - // - if (bt_quickfix(win->w_buffer)) { + if (buf_valid(win->w_buffer) && bt_quickfix(win->w_buffer)) { if ((IS_QF_STACK(qi) && win->w_llist_ref == NULL) || (IS_LL_STACK(qi) && win->w_llist_ref == qi)) { return true; |