From 8c6b0a5f21d5f0cf3781ef2b6fdbb306d5604a02 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Wed, 22 Nov 2023 11:07:00 +0800
Subject: vim-patch:9.0.2117: [security] use-after-free in qf_free_items
 (#26148)

Problem:  [security] use-after-free in qf_free_items
Solution: only access qfpnext, if it hasn't been freed

Coverity discovered a possible use-after-free in qf_free_items. When
freeing the qfline items, we may access freed memory, when qfp ==
qfpnext.

So only access qfpnext, when it hasn't been freed.

https://github.com/vim/vim/commit/567cae2630a51efddc07eacff3b38a295e1f5671

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/quickfix.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/nvim/quickfix.c b/src/nvim/quickfix.c
index 57d3f2fd41..68217eefe7 100644
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@@ -3411,9 +3411,10 @@ static void qf_free_items(qf_list_T *qfl)
         // to avoid crashing when it's wrong.
         // TODO(vim): Avoid qf_count being incorrect.
         qfl->qf_count = 1;
+      } else {
+        qfl->qf_start = qfpnext;
       }
     }
-    qfl->qf_start = qfpnext;
     qfl->qf_count--;
   }
 
-- 
cgit