Mercurial > vim
comparison src/quickfix.c @ 33802:b857615e5d42 v9.0.2117
patch 9.0.2117: [security] use-after-free in qf_free_items
Commit: https://github.com/vim/vim/commit/567cae2630a51efddc07eacff3b38a295e1f5671
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Nov 19 16:19:27 2023 +0100
patch 9.0.2117: [security] use-after-free in qf_free_items
Problem: [security] use-after-free in qf_free_items
Solution: only access qfpnext, if it hasn't been freed
Coverity discovered a possible use-after-free in qf_free_items. When
freeing the qfline items, we may access freed memory, when qfp ==
qfpnext.
So only access qfpnext, when it hasn't been freed.
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Tue, 21 Nov 2023 20:15:05 +0100 |
parents | 20d09cced45f |
children | 3b654f4462c5 |
comparison
equal
deleted
inserted
replaced
33801:d9576e67ab4b | 33802:b857615e5d42 |
---|---|
3998 if (stop) | 3998 if (stop) |
3999 // Somehow qf_count may have an incorrect value, set it to 1 | 3999 // Somehow qf_count may have an incorrect value, set it to 1 |
4000 // to avoid crashing when it's wrong. | 4000 // to avoid crashing when it's wrong. |
4001 // TODO: Avoid qf_count being incorrect. | 4001 // TODO: Avoid qf_count being incorrect. |
4002 qfl->qf_count = 1; | 4002 qfl->qf_count = 1; |
4003 } | 4003 else |
4004 qfl->qf_start = qfpnext; | 4004 qfl->qf_start = qfpnext; |
4005 } | |
4005 --qfl->qf_count; | 4006 --qfl->qf_count; |
4006 } | 4007 } |
4007 | 4008 |
4008 qfl->qf_index = 0; | 4009 qfl->qf_index = 0; |
4009 qfl->qf_start = NULL; | 4010 qfl->qf_start = NULL; |