adam/vim
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

patch 9.1.0647: [security] use-after-free in tagstack_clear_entry

Browse Source 
Problem:  [security] use-after-free in tagstack_clear_entry
          (Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
          entries, let's use tagstack_clear_entry(), which will
          also free the stack, but using the VIM_CLEAR macro,
          which prevents a use-after-free by setting those pointers
          to NULL

This addresses CVE-2024-41957

Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2024-08-01 20:16:51 +02:00
parent 5b07213c0b
commit 8a0bbe7b8a
4 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/window.c
View File

@ -5837,10 +5837,7 @@ win_free(
win_free_lsize(wp);
for (i = 0; i < wp->w_tagstacklen; ++i)
{
vim_free(wp->w_tagstack[i].tagname);
vim_free(wp->w_tagstack[i].user_data);
}
tagstack_clear_entry(&wp->w_tagstack[i]);
vim_free(wp->w_localdir);
vim_free(wp->w_prevdir);