adam/vim
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'

Browse Source 
Problem:  potential use-after free when there is an error in 'tabpanel'
          option (@char101, after v9.1.1391)
Solution: check if p_tpl has been set to null before accessing it again.

While at it slightly change starts_with_percent_and_bang() and use the
existing opt_name and opt_scope variables.

fixes: #17364
closes: #17388

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2025-05-27 20:49:34 +02:00
parent f0c7090a38
commit ac83b3c373
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/tabpanel.c
View File

@ -530,8 +530,8 @@ starts_with_percent_and_bang(tabpanel_T *pargs)
if (did_emsg > did_emsg_before)
{
usefmt = NULL;
set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"",
OPT_FREE | OPT_GLOBAL, SID_ERROR);
set_string_option_direct(opt_name, -1, (char_u *)"",
OPT_FREE | opt_scope, SID_ERROR);
}
}
#endif
@ -641,6 +641,12 @@ do_by_tplmode(
args.prow = &row;
args.pcol = &col;
draw_tabpanel_userdefined(tplmode, &args);
// p_tpl could have been freed in build_stl_str_hl()
if (p_tpl == NULL || *p_tpl == NUL)
{
usefmt = NULL;
break;
}
p += i;
i = 0;