44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
From 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Thu, 1 Aug 2024 20:16:51 +0200
|
|
Subject: [PATCH] patch 9.1.0647: [security] use-after-free in
|
|
tagstack_clear_entry
|
|
|
|
Problem: [security] use-after-free in tagstack_clear_entry
|
|
(Suyue Guo )
|
|
Solution: Instead of manually calling vim_free() on each of the tagstack
|
|
entries, let's use tagstack_clear_entry(), which will
|
|
also free the stack, but using the VIM_CLEAR macro,
|
|
which prevents a use-after-free by setting those pointers
|
|
to NULL
|
|
|
|
This addresses CVE-2024-41957
|
|
|
|
Github advisory:
|
|
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/window.c | 5 +----
|
|
1 file changed, 1 insertion(+), 4 deletions(-)
|
|
|
|
diff --git a/src/window.c b/src/window.c
|
|
index 7ca29d46a..70c72bca7 100644
|
|
--- a/src/window.c
|
|
+++ b/src/window.c
|
|
@@ -5661,10 +5661,7 @@ win_free(
|
|
win_free_lsize(wp);
|
|
|
|
for (i = 0; i < wp->w_tagstacklen; ++i)
|
|
- {
|
|
- vim_free(wp->w_tagstack[i].tagname);
|
|
- vim_free(wp->w_tagstack[i].user_data);
|
|
- }
|
|
+ tagstack_clear_entry(&wp->w_tagstack[i]);
|
|
vim_free(wp->w_localdir);
|
|
vim_free(wp->w_prevdir);
|
|
|
|
--
|
|
2.33.0
|
|
|