mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-10-26 12:27:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.0.1840: [security] use-after-free in do_ecmd

Browse Source 
Problem:  use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()

e1dc9a6275

N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c

Co-authored-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 2ffd8d98fa)
This commit is contained in:
zeertzjq
2023-09-03 09:51:23 +08:00
committed by github-actions[bot]
parent c23bff6603
commit ed626d2f8f
3 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/nvim/ex_cmds.c
View File

@@ -2202,8 +2202,16 @@ int do_ecmd(int fnum, char *ffname, char *sfname, exarg_T *eap, linenr_T newlnum
// End Visual mode before switching to another buffer, so the text can be // End Visual mode before switching to another buffer, so the text can be
// copied into the GUI selection buffer. // copied into the GUI selection buffer.
// Careful: may trigger ModeChanged() autocommand
// Should we block autocommands here?
reset_VIsual(); reset_VIsual();
// autocommands freed window :(
if (oldwin != NULL && !win_valid(oldwin)) {
oldwin = NULL;
}
if ((command != NULL || newlnum > (linenr_T)0) if ((command != NULL || newlnum > (linenr_T)0)
&& *get_vim_var_str(VV_SWAPCOMMAND) == NUL) { && *get_vim_var_str(VV_SWAPCOMMAND) == NUL) {
// Set v:swapcommand for the SwapExists autocommands. // Set v:swapcommand for the SwapExists autocommands.

16
test/functional/legacy/crash_spec.lua Normal file
View File

@@ -0,0 +1,16 @@
local helpers = require('test.functional.helpers')(after_each)
local assert_alive = helpers.assert_alive
local clear = helpers.clear
local command = helpers.command
local feed = helpers.feed
before_each(clear)
-- oldtest: Test_crash1()
it('no crash when ending Visual mode while editing buffer closes window', function()
command('new')
command('autocmd ModeChanged v:n ++once close')
feed('v')
command('enew')
assert_alive()
end)

25
test/old/testdir/test_crash.vim Normal file
View File

@@ -0,0 +1,25 @@
" Some tests, that used to crash Vim
source check.vim
source screendump.vim
CheckScreendump
func Test_crash1()
" The following used to crash Vim
let opts = #{wait_for_ruler: 0}
let args = ' -u NONE -i NONE -n -e -s -S '
let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
call VerifyScreenDump(buf, 'Test_crash_01', {})
exe buf .. "bw!"
let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts)
call VerifyScreenDump(buf, 'Test_crash_01', {})
exe buf .. "bw!"
let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts)
call VerifyScreenDump(buf, 'Test_crash_01', {})
exe buf .. "bw!"
endfunc
" vim: shiftwidth=2 sts=2 expandtab