Mercurial > vim
comparison src/testdir/test_vim9_class.vim @ 33829:f0132690cdf9 v9.0.2129
patch 9.0.2129: [security]: use-after-free in call_dfunc()
Commit: https://github.com/vim/vim/commit/a555069b7d790abedc60edc505bd35bda257949d
Author: mityu <mityu.mail@gmail.com>
Date: Sat Nov 25 15:41:20 2023 +0100
patch 9.0.2129: [security]: use-after-free in call_dfunc()
Problem: [security]: use-after-free in call_dfunc()
Solution: Refresh dfunc pointer
closes: #13571
This Commit fixes a SEGV caused by a use-after-free bug in call_dfunc().
When calling check_ufunc_arg_types() from the call_dfunc() it may cause
def functions to be re-compiled and if there are too many def functions,
the def_functions array will be re-allocated. Which means, that the
dfunc pointer in call_dfunc() now starts pointing to freed memory.
So we need to reset the dfunc pointer after calling
check_ufunc_arg_types().
Let's also add a test, to ensure we do not regress.
Signed-off-by: mityu <mityu.mail@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sat, 25 Nov 2023 16:00:03 +0100 |
| parents | 2172872dfbcd |
| children | cd7acb9bc4fd |
comparison
equal
deleted
inserted
replaced
| 33828:53bab9f88162 | 33829:f0132690cdf9 |
|---|---|
| 8583 a.Foo() | 8583 a.Foo() |
| 8584 END | 8584 END |
| 8585 v9.CheckSourceFailure(lines, 'E1012: Type mismatch; expected number but got dict<unknown>', 3) | 8585 v9.CheckSourceFailure(lines, 'E1012: Type mismatch; expected number but got dict<unknown>', 3) |
| 8586 enddef | 8586 enddef |
| 8587 | 8587 |
| 8588 def Test_compile_many_def_functions_in_funcref_instr() | |
| 8589 # This used to crash Vim. This is reproducible only when run on new instance | |
| 8590 # of Vim. | |
| 8591 var lines =<< trim END | |
| 8592 vim9script | |
| 8593 | |
| 8594 class A | |
| 8595 def new() | |
| 8596 this.TakeFunc(this.F00) | |
| 8597 enddef | |
| 8598 | |
| 8599 def TakeFunc(F: func) | |
| 8600 enddef | |
| 8601 | |
| 8602 def F00() | |
| 8603 this.F01() | |
| 8604 this.F02() | |
| 8605 this.F03() | |
| 8606 this.F04() | |
| 8607 this.F05() | |
| 8608 this.F06() | |
| 8609 this.F07() | |
| 8610 this.F08() | |
| 8611 this.F09() | |
| 8612 this.F10() | |
| 8613 this.F11() | |
| 8614 this.F12() | |
| 8615 this.F13() | |
| 8616 this.F14() | |
| 8617 this.F15() | |
| 8618 this.F16() | |
| 8619 this.F17() | |
| 8620 this.F18() | |
| 8621 this.F19() | |
| 8622 this.F20() | |
| 8623 this.F21() | |
| 8624 this.F22() | |
| 8625 this.F23() | |
| 8626 this.F24() | |
| 8627 this.F25() | |
| 8628 this.F26() | |
| 8629 this.F27() | |
| 8630 this.F28() | |
| 8631 this.F29() | |
| 8632 this.F30() | |
| 8633 this.F31() | |
| 8634 this.F32() | |
| 8635 this.F33() | |
| 8636 this.F34() | |
| 8637 this.F35() | |
| 8638 this.F36() | |
| 8639 this.F37() | |
| 8640 this.F38() | |
| 8641 this.F39() | |
| 8642 this.F40() | |
| 8643 this.F41() | |
| 8644 this.F42() | |
| 8645 this.F43() | |
| 8646 this.F44() | |
| 8647 this.F45() | |
| 8648 this.F46() | |
| 8649 this.F47() | |
| 8650 enddef | |
| 8651 | |
| 8652 def F01() | |
| 8653 enddef | |
| 8654 def F02() | |
| 8655 enddef | |
| 8656 def F03() | |
| 8657 enddef | |
| 8658 def F04() | |
| 8659 enddef | |
| 8660 def F05() | |
| 8661 enddef | |
| 8662 def F06() | |
| 8663 enddef | |
| 8664 def F07() | |
| 8665 enddef | |
| 8666 def F08() | |
| 8667 enddef | |
| 8668 def F09() | |
| 8669 enddef | |
| 8670 def F10() | |
| 8671 enddef | |
| 8672 def F11() | |
| 8673 enddef | |
| 8674 def F12() | |
| 8675 enddef | |
| 8676 def F13() | |
| 8677 enddef | |
| 8678 def F14() | |
| 8679 enddef | |
| 8680 def F15() | |
| 8681 enddef | |
| 8682 def F16() | |
| 8683 enddef | |
| 8684 def F17() | |
| 8685 enddef | |
| 8686 def F18() | |
| 8687 enddef | |
| 8688 def F19() | |
| 8689 enddef | |
| 8690 def F20() | |
| 8691 enddef | |
| 8692 def F21() | |
| 8693 enddef | |
| 8694 def F22() | |
| 8695 enddef | |
| 8696 def F23() | |
| 8697 enddef | |
| 8698 def F24() | |
| 8699 enddef | |
| 8700 def F25() | |
| 8701 enddef | |
| 8702 def F26() | |
| 8703 enddef | |
| 8704 def F27() | |
| 8705 enddef | |
| 8706 def F28() | |
| 8707 enddef | |
| 8708 def F29() | |
| 8709 enddef | |
| 8710 def F30() | |
| 8711 enddef | |
| 8712 def F31() | |
| 8713 enddef | |
| 8714 def F32() | |
| 8715 enddef | |
| 8716 def F33() | |
| 8717 enddef | |
| 8718 def F34() | |
| 8719 enddef | |
| 8720 def F35() | |
| 8721 enddef | |
| 8722 def F36() | |
| 8723 enddef | |
| 8724 def F37() | |
| 8725 enddef | |
| 8726 def F38() | |
| 8727 enddef | |
| 8728 def F39() | |
| 8729 enddef | |
| 8730 def F40() | |
| 8731 enddef | |
| 8732 def F41() | |
| 8733 enddef | |
| 8734 def F42() | |
| 8735 enddef | |
| 8736 def F43() | |
| 8737 enddef | |
| 8738 def F44() | |
| 8739 enddef | |
| 8740 def F45() | |
| 8741 enddef | |
| 8742 def F46() | |
| 8743 enddef | |
| 8744 def F47() | |
| 8745 enddef | |
| 8746 endclass | |
| 8747 | |
| 8748 A.new() | |
| 8749 END | |
| 8750 writefile(lines, 'Xscript', 'D') | |
| 8751 g:RunVim([], [], '-u NONE -S Xscript -c qa') | |
| 8752 assert_equal(0, v:shell_error) | |
| 8753 enddef | |
| 8754 | |
| 8588 " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker | 8755 " vim: ts=8 sw=2 sts=2 expandtab tw=80 fdm=marker |