patch 9.1.0648: [security] double-free in dialog_changed()
Problem:  [security] double-free in dialog_changed()
          (SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
          than the b_ffname pointer.  Don't try to free b_fname,
          set it to NULL instead.
fixes: #15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f
Signed-off-by: Christian Brabandt <cb@256bit.org>
			
			
This commit is contained in:
		| @ -197,9 +197,11 @@ dialog_changed( | ||||
| 	// restore to empty when write failed | ||||
| 	if (empty_bufname) | ||||
| 	{ | ||||
| 	    VIM_CLEAR(buf->b_fname); | ||||
| 	    // prevent double free | ||||
| 	    if (buf->b_sfname != buf->b_ffname) | ||||
| 		VIM_CLEAR(buf->b_sfname); | ||||
| 	    buf->b_fname = NULL; | ||||
| 	    VIM_CLEAR(buf->b_ffname); | ||||
| 	    VIM_CLEAR(buf->b_sfname); | ||||
| 	    unchanged(buf, TRUE, FALSE); | ||||
| 	} | ||||
|     } | ||||
|  | ||||
		Reference in New Issue
	
	Block a user