# HG changeset patch
# User Christian Brabandt <cb@256bit.org>
# Date 1700594105 -3600
# Node ID b857615e5d4290f0066744a38a56e203b5ff2125
# Parent  d9576e67ab4bc0d4b38bed624d87eeb589381d56
patch 9.0.2117: [security] use-after-free in qf_free_items

Commit: https://github.com/vim/vim/commit/567cae2630a51efddc07eacff3b38a295e1f5671
Author: Christian Brabandt <cb@256bit.org>
Date:   Sun Nov 19 16:19:27 2023 +0100

    patch 9.0.2117: [security] use-after-free in qf_free_items

    Problem:  [security] use-after-free in qf_free_items
    Solution: only access qfpnext, if it hasn't been freed

    Coverity discovered a possible use-after-free in qf_free_items. When
    freeing the qfline items, we may access freed memory, when qfp ==
    qfpnext.

    So only access qfpnext, when it hasn't been freed.

    Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/quickfix.c b/src/quickfix.c
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -4000,8 +4000,9 @@ qf_free_items(qf_list_T *qfl)
 		// to avoid crashing when it's wrong.
 		// TODO: Avoid qf_count being incorrect.
 		qfl->qf_count = 1;
+	    else
+		qfl->qf_start = qfpnext;
 	}
-	qfl->qf_start = qfpnext;
 	--qfl->qf_count;
     }
 
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2117,
+/**/
     2116,
 /**/
     2115,