Mercurial > vim
diff src/vim9execute.c @ 33501:c7c630759e31 v9.0.2000
patch 9.0.2000: Vim9: use-after-free in deep call stack
Commit: https://github.com/vim/vim/commit/1087b8c29ab521106c5b6cc85d5b38244f0d9c1d
Author: Yegappan Lakshmanan <yegappan@yahoo.com>
Date: Sat Oct 7 22:03:18 2023 +0200
patch 9.0.2000: Vim9: use-after-free in deep call stack
Problem: Vim9: use-after-free in deep call stack
Solution: Get the objct pointer from execution stack
closes: #13296
Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Sat, 07 Oct 2023 22:15:07 +0200 |
parents | bff8ac203a22 |
children | f99f5a56ff27 |
line wrap: on
line diff
--- a/src/vim9execute.c +++ b/src/vim9execute.c @@ -559,6 +559,12 @@ call_dfunc( arg_to_add + STACK_FRAME_SIZE + varcount)) return FAIL; + // The object pointer is in the execution typval stack. The GA_GROW call + // above may have reallocated the execution typval stack. So the object + // pointer may not be valid anymore. Get the object pointer again from the + // execution stack. + obj = STACK_TV_BOT(0) - argcount - vararg_count - 1; + // If depth of calling is getting too high, don't execute the function. if (funcdepth_increment() == FAIL) return FAIL;