Mercurial > vim
view src/proto/vim9type.pro @ 33915:a49ae967e9ed v9.0.2158
patch 9.0.2158: [security]: use-after-free in check_argument_type
Commit: https://github.com/vim/vim/commit/0f28791b215bd4c22ed580839409c2f7d39d8140
Author: Christian Brabandt <cb@256bit.org>
Date: Mon Dec 11 17:53:25 2023 +0100
patch 9.0.2158: [security]: use-after-free in check_argument_type
Problem: [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
list
function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.
So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer
closes: #13652
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Mon, 11 Dec 2023 18:00:03 +0100 |
| parents | a259471e74fe |
| children | 84b93d95a952 |
line wrap: on
line source
/* vim9type.c */ type_T *get_type_ptr(garray_T *type_gap); type_T *copy_type(type_T *type, garray_T *type_gap); void clear_type_list(garray_T *gap); void clear_func_type_list(garray_T *gap, type_T **func_type); type_T *alloc_type(type_T *type); void free_type(type_T *type); void set_tv_type(typval_T *tv, type_T *type); type_T *get_list_type(type_T *member_type, garray_T *type_gap); type_T *get_dict_type(type_T *member_type, garray_T *type_gap); type_T *alloc_func_type(type_T *ret_type, int argcount, garray_T *type_gap); type_T *get_func_type(type_T *ret_type, int argcount, garray_T *type_gap); int func_type_add_arg_types(type_T *functype, int argcount, garray_T *type_gap); int type_any_or_unknown(type_T *type); int need_convert_to_bool(type_T *type, typval_T *tv); type_T *typval2type(typval_T *tv, int copyID, garray_T *type_gap, int flags); int valid_declaration_type(type_T *type); type_T *typval2type_vimvar(typval_T *tv, garray_T *type_gap); int check_typval_arg_type(type_T *expected, typval_T *actual_tv, char *func_name, int arg_idx); int check_typval_type(type_T *expected, typval_T *actual_tv, where_T where); void arg_type_mismatch(type_T *expected, type_T *actual, int arg_idx); void type_mismatch_where(type_T *expected, type_T *actual, where_T where); int check_type(type_T *expected, type_T *actual, int give_msg, where_T where); int check_type_maybe(type_T *expected, type_T *actual, int give_msg, where_T where); int check_argument_types(type_T *type, typval_T *argvars, int argcount, typval_T *base_tv, char_u *name); char_u *skip_type(char_u *start, int optional); type_T *parse_type(char_u **arg, garray_T *type_gap, int give_error); int equal_type(type_T *type1, type_T *type2, int flags); void common_type(type_T *type1, type_T *type2, type_T **dest, garray_T *type_gap); int push_type_stack(cctx_T *cctx, type_T *type); int push_type_stack2(cctx_T *cctx, type_T *type, type_T *decl_type); void set_type_on_stack(cctx_T *cctx, type_T *type, int offset); type_T *get_type_on_stack(cctx_T *cctx, int offset); type_T *get_decl_type_on_stack(cctx_T *cctx, int offset); type_T *get_member_type_from_stack(int count, int skip, cctx_T *cctx); char *vartype_name(vartype_T type); char *type_name(type_T *type, char **tofree); void f_typename(typval_T *argvars, typval_T *rettv); int check_vartype_is_value(vartype_T typ); int check_typval_is_value(typval_T *tv); int check_type_is_value(type_T *type); /* vim: set ft=c : */