packages/vim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vim/backport-CVE-2024-41965.patch
wangjiang cb40e35e81 fix CVE-2024-41957 CVE-2024-41965 
(cherry picked from commit dfd9ba28525f88a2925ba262ff92fb9c9c744969)
2024-08-12 15:27:00 +08:00

43 lines
1.2 KiB
Diff
Raw Blame History

From b29f4abcd4b3382fa746edd1d0562b7b48c9de60 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Thu, 1 Aug 2024 22:10:28 +0200
Subject: [PATCH] patch 9.1.0648: [security] double-free in dialog_changed()
Problem: [security] double-free in dialog_changed()
(SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
than the b_ffname pointer. Don't try to free b_fname,
set it to NULL instead.
fixes: #15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
src/ex_cmds2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/ex_cmds2.c b/src/ex_cmds2.c
index ce30b8d39..0d76b3b27 100644
--- a/src/ex_cmds2.c
+++ b/src/ex_cmds2.c
@@ -197,9 +197,11 @@ dialog_changed(
// restore to empty when write failed
if (empty_bufname)
{
- VIM_CLEAR(buf->b_fname);
+ // prevent double free
+ if (buf->b_sfname != buf->b_ffname)
+ VIM_CLEAR(buf->b_sfname);
+ buf->b_fname = NULL;
VIM_CLEAR(buf->b_ffname);
- VIM_CLEAR(buf->b_sfname);
unchanged(buf, TRUE, FALSE);
}
}
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink