patch 9.1.0648: [security] double-free in dialog_changed()
Problem:  [security] double-free in dialog_changed()
          (SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
          than the b_ffname pointer.  Don't try to free b_fname,
          set it to NULL instead.
fixes: #15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f
Signed-off-by: Christian Brabandt <cb@256bit.org>
			
			
This commit is contained in:
		| @ -197,9 +197,11 @@ dialog_changed( | ||||
| 	// restore to empty when write failed | ||||
| 	if (empty_bufname) | ||||
| 	{ | ||||
| 	    VIM_CLEAR(buf->b_fname); | ||||
| 	    // prevent double free | ||||
| 	    if (buf->b_sfname != buf->b_ffname) | ||||
| 		VIM_CLEAR(buf->b_sfname); | ||||
| 	    buf->b_fname = NULL; | ||||
| 	    VIM_CLEAR(buf->b_ffname); | ||||
| 	    VIM_CLEAR(buf->b_sfname); | ||||
| 	    unchanged(buf, TRUE, FALSE); | ||||
| 	} | ||||
|     } | ||||
|  | ||||
							
								
								
									
										
											BIN
										
									
								
								src/testdir/crash/dialog_changed_uaf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								src/testdir/crash/dialog_changed_uaf
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -196,6 +196,12 @@ func Test_crash1_3() | ||||
|   call term_sendkeys(buf, args) | ||||
|   call TermWait(buf, 50) | ||||
|  | ||||
|   let file = 'crash/dialog_changed_uaf' | ||||
|   let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>" | ||||
|   let args = printf(cmn_args, vim, file) | ||||
|   call term_sendkeys(buf, args) | ||||
|   call TermWait(buf, 150) | ||||
|  | ||||
|   " clean up | ||||
|   exe buf .. "bw!" | ||||
|   bw! | ||||
|  | ||||
| @ -704,6 +704,8 @@ static char *(features[]) = | ||||
|  | ||||
| static int included_patches[] = | ||||
| {   /* Add new patch number below this line */ | ||||
| /**/ | ||||
|     648, | ||||
| /**/ | ||||
|     647, | ||||
| /**/ | ||||
|  | ||||
		Reference in New Issue
	
	Block a user