diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-08-02 06:00:02 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2024-08-02 07:14:42 +0800 |
| commit | 6af359ef4cc3c221e0e3102ab2b54cf64d7c9835 (patch) | |
| tree | 39230226ac82217aaba7b4c2b3d72a99ac63143b /test/old | |
| parent | a4bec30b7b2fa66a2db9d03f54e51dff58116465 (diff) | |
| download | rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.tar.gz rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.tar.bz2 rneovim-6af359ef4cc3c221e0e3102ab2b54cf64d7c9835.zip | |
vim-patch:9.1.0647: [security] use-after-free in tagstack_clear_entry
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'test/old')
| -rw-r--r-- | test/old/testdir/crash/double_free | bin | 0 -> 561 bytes | |||
| -rw-r--r-- | test/old/testdir/test_crash.vim | 6 |
2 files changed, 6 insertions, 0 deletions
diff --git a/test/old/testdir/crash/double_free b/test/old/testdir/crash/double_free Binary files differnew file mode 100644 index 0000000000..895c4a04b6 --- /dev/null +++ b/test/old/testdir/crash/double_free diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim index fd786e5d54..29061aa423 100644 --- a/test/old/testdir/test_crash.vim +++ b/test/old/testdir/test_crash.vim @@ -190,6 +190,12 @@ func Test_crash1_3() call term_sendkeys(buf, args) call TermWait(buf, 150) + let file = 'crash/double_free' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args) + call TermWait(buf, 50) + " clean up exe buf .. "bw!" bw! |