Mercurial > vim
comparison src/quickfix.c @ 33802:b857615e5d42 v9.0.2117
patch 9.0.2117: [security] use-after-free in qf_free_items
Commit: https://github.com/vim/vim/commit/567cae2630a51efddc07eacff3b38a295e1f5671
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Nov 19 16:19:27 2023 +0100
patch 9.0.2117: [security] use-after-free in qf_free_items
Problem: [security] use-after-free in qf_free_items
Solution: only access qfpnext, if it hasn't been freed
Coverity discovered a possible use-after-free in qf_free_items. When
freeing the qfline items, we may access freed memory, when qfp ==
qfpnext.
So only access qfpnext, when it hasn't been freed.
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Tue, 21 Nov 2023 20:15:05 +0100 |
| parents | 20d09cced45f |
| children | 3b654f4462c5 |
comparison
equal
deleted
inserted
replaced
| 33801:d9576e67ab4b | 33802:b857615e5d42 |
|---|---|
| 3998 if (stop) | 3998 if (stop) |
| 3999 // Somehow qf_count may have an incorrect value, set it to 1 | 3999 // Somehow qf_count may have an incorrect value, set it to 1 |
| 4000 // to avoid crashing when it's wrong. | 4000 // to avoid crashing when it's wrong. |
| 4001 // TODO: Avoid qf_count being incorrect. | 4001 // TODO: Avoid qf_count being incorrect. |
| 4002 qfl->qf_count = 1; | 4002 qfl->qf_count = 1; |
| 4003 } | 4003 else |
| 4004 qfl->qf_start = qfpnext; | 4004 qfl->qf_start = qfpnext; |
| 4005 } | |
| 4005 --qfl->qf_count; | 4006 --qfl->qf_count; |
| 4006 } | 4007 } |
| 4007 | 4008 |
| 4008 qfl->qf_index = 0; | 4009 qfl->qf_index = 0; |
| 4009 qfl->qf_start = NULL; | 4010 qfl->qf_start = NULL; |