vim-patch:9.1.0648: [security] double-free in dialog_changed()

Problem: [security] double-free in dialog_changed() (SuyueGuo) Solution: Only clear pointer b_sfname pointer, if it is different than the b_ffname pointer. Don't try to free b_fname, set it to NULL instead. fixes: vim/vim#15403 Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f b29f4abcd4 Co-authored-by: Christian Brabandt <cb@256bit.org>
2025-09-30 15:08:35 +00:00 · 2024-08-03 08:13:20 +08:00
parent 383f693472
commit 6967c08840
4 changed files with 23 additions and 2 deletions
--- a/src/nvim/ex_cmds2.c
+++ b/src/nvim/ex_cmds2.c
@@ -227,9 +227,12 @@ void dialog_changed(buf_T *buf, bool checkall)

    // restore to empty when write failed
    if (empty_bufname) {
-      XFREE_CLEAR(buf->b_fname);
+      // prevent double free
+      if (buf->b_sfname != buf->b_ffname) {
+        XFREE_CLEAR(buf->b_sfname);
+      }
+      buf->b_fname = NULL;
      XFREE_CLEAR(buf->b_ffname);
-      XFREE_CLEAR(buf->b_sfname);
      unchanged(buf, true, false);
    }
  } else if (ret == VIM_NO) {