Mercurial > vim

changeset 33804:43c439af511e v9.0.2118

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 9.0.2118: [security]: avoid double-free in get_style_font_variants Commit: https://github.com/vim/vim/commit/a5218a7330cb14ddd9afa323ab03f4334e6a77a0 Author: Christian Brabandt <cb@256bit.org> Date: Sun Nov 19 16:25:45 2023 +0100 patch 9.0.2118: [security]: avoid double-free in get_style_font_variants Problem: [security]: avoid double-free Solution: Only fee plain_font, when it is not the same as bold_font When plain_font == bold_font and bold_font is not NULL, we may end up trying to free bold_font again, which already has been freed a few lines above. So only free bold_font, when the condition gui.font_can_bold is true, which means that bold_font is not pointing to plain_font (so it needs to be freed separately). Signed-off-by: Christian Brabandt <cb@256bit.org>
author Christian Brabandt <cb@256bit.org>
date Tue, 21 Nov 2023 20:15:07 +0100
parents e8a6e2b5443d
children bc960017d009
files src/gui_gtk_x11.c src/version.c
diffstat 2 files changed, 4 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/gui_gtk_x11.c
+++ b/src/gui_gtk_x11.c
@@ -5048,7 +5048,8 @@ get_styled_font_variants(void)
     }
 
     pango_font_description_free(bold_font_desc);
-    g_object_unref(plain_font);
+    if (bold_font != NULL && gui.font_can_bold)
+	g_object_unref(plain_font);
 }
 
 static PangoEngineShape *default_shape_engine = NULL;
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2118,
+/**/
     2117,
 /**/
     2116,