Mercurial > vim

diff src/version.c @ 33829:f0132690cdf9 v9.0.2129

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2129: [security]: use-after-free in call_dfunc() Commit: https://github.com/vim/vim/commit/a555069b7d790abedc60edc505bd35bda257949d Author: mityu <mityu.mail@gmail.com> Date: Sat Nov 25 15:41:20 2023 +0100 patch 9.0.2129: [security]: use-after-free in call_dfunc() Problem: [security]: use-after-free in call_dfunc() Solution: Refresh dfunc pointer closes: #13571 This Commit fixes a SEGV caused by a use-after-free bug in call_dfunc(). When calling check_ufunc_arg_types() from the call_dfunc() it may cause def functions to be re-compiled and if there are too many def functions, the def_functions array will be re-allocated. Which means, that the dfunc pointer in call_dfunc() now starts pointing to freed memory. So we need to reset the dfunc pointer after calling check_ufunc_arg_types(). Let's also add a test, to ensure we do not regress. Signed-off-by: mityu <mityu.mail@gmail.com> Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Sat, 25 Nov 2023 16:00:03 +0100
parents d515e012d713
children 2b222b99faec
line wrap: on
line diff
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2129,
+/**/
     2128,
 /**/
     2127,