diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2024-08-16 09:00:50 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2024-08-17 06:04:52 +0800 |
| commit | b3d291c5656085189e1ba65357119f16e2f5e9b0 (patch) | |
| tree | b49afe5c2b1ac440ec6ba5b0fdcb82bb32e4740c /test | |
| parent | 8b8096500d08d771a936d8ceca25ef5716c3874f (diff) | |
| download | rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.tar.gz rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.tar.bz2 rneovim-b3d291c5656085189e1ba65357119f16e2f5e9b0.zip | |
vim-patch:9.1.0678: [security]: use-after-free in alist_add()
Problem: [security]: use-after-free in alist_add()
(SuyueGuo)
Solution: Lock the current window, so that the reference to
the argument list remains valid.
This fixes CVE-2024-43374
https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'test')
| -rw-r--r-- | test/old/testdir/test_arglist.vim | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/test/old/testdir/test_arglist.vim b/test/old/testdir/test_arglist.vim index ebda332562..952b121aed 100644 --- a/test/old/testdir/test_arglist.vim +++ b/test/old/testdir/test_arglist.vim @@ -360,6 +360,7 @@ func Test_argv() call assert_equal('', argv(1, 100)) call assert_equal([], argv(-1, 100)) call assert_equal('', argv(10, -1)) + %argdelete endfunc " Test for the :argedit command @@ -744,4 +745,26 @@ func Test_all_command() %bw! endfunc +" Test for deleting buffer when creating an arglist. This was accessing freed +" memory +func Test_crash_arglist_uaf() + "%argdelete + new one + au BufAdd XUAFlocal :bw + "call assert_fails(':arglocal XUAFlocal', 'E163:') + arglocal XUAFlocal + au! BufAdd + bw! XUAFlocal + + au BufAdd XUAFlocal2 :bw + new two + new three + arglocal + argadd XUAFlocal2 Xfoobar + bw! XUAFlocal2 + bw! two + + au! BufAdd +endfunc + " vim: shiftwidth=2 sts=2 expandtab |