Mercurial > vim

diff src/vim9execute.c @ 33501:c7c630759e31 v9.0.2000

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2000: Vim9: use-after-free in deep call stack Commit: https://github.com/vim/vim/commit/1087b8c29ab521106c5b6cc85d5b38244f0d9c1d Author: Yegappan Lakshmanan <yegappan@yahoo.com> Date: Sat Oct 7 22:03:18 2023 +0200 patch 9.0.2000: Vim9: use-after-free in deep call stack Problem: Vim9: use-after-free in deep call stack Solution: Get the objct pointer from execution stack closes: #13296 Signed-off-by: Christian Brabandt <cb@256bit.org> Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
author Christian Brabandt <cb@256bit.org>
date Sat, 07 Oct 2023 22:15:07 +0200
parents bff8ac203a22
children f99f5a56ff27
line wrap: on
line diff
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -559,6 +559,12 @@ call_dfunc(
 				     arg_to_add + STACK_FRAME_SIZE + varcount))
 	return FAIL;
 
+    // The object pointer is in the execution typval stack.  The GA_GROW call
+    // above may have reallocated the execution typval stack.  So the object
+    // pointer may not be valid anymore.  Get the object pointer again from the
+    // execution stack.
+    obj = STACK_TV_BOT(0) - argcount - vararg_count - 1;
+
     // If depth of calling is getting too high, don't execute the function.
     if (funcdepth_increment() == FAIL)
 	return FAIL;