mirror of
https://github.com/neovim/neovim.git
synced 2024-12-23 20:55:18 -07:00
vim-patch:9.0.1840: [security] use-after-free in do_ecmd (#24993)
Problem: use-after-free in do_ecmd
Solution: Verify oldwin pointer after reset_VIsual()
e1dc9a6275
N/A patches for version.c:
vim-patch:9.0.1841: style: trailing whitespace in ex_cmds.c
Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
parent
f32a69630d
commit
087ef52997
@ -2230,8 +2230,16 @@ int do_ecmd(int fnum, char *ffname, char *sfname, exarg_T *eap, linenr_T newlnum
|
||||
|
||||
// End Visual mode before switching to another buffer, so the text can be
|
||||
// copied into the GUI selection buffer.
|
||||
// Careful: may trigger ModeChanged() autocommand
|
||||
|
||||
// Should we block autocommands here?
|
||||
reset_VIsual();
|
||||
|
||||
// autocommands freed window :(
|
||||
if (oldwin != NULL && !win_valid(oldwin)) {
|
||||
oldwin = NULL;
|
||||
}
|
||||
|
||||
if ((command != NULL || newlnum > (linenr_T)0)
|
||||
&& *get_vim_var_str(VV_SWAPCOMMAND) == NUL) {
|
||||
// Set v:swapcommand for the SwapExists autocommands.
|
||||
|
16
test/functional/legacy/crash_spec.lua
Normal file
16
test/functional/legacy/crash_spec.lua
Normal file
@ -0,0 +1,16 @@
|
||||
local helpers = require('test.functional.helpers')(after_each)
|
||||
local assert_alive = helpers.assert_alive
|
||||
local clear = helpers.clear
|
||||
local command = helpers.command
|
||||
local feed = helpers.feed
|
||||
|
||||
before_each(clear)
|
||||
|
||||
-- oldtest: Test_crash1()
|
||||
it('no crash when ending Visual mode while editing buffer closes window', function()
|
||||
command('new')
|
||||
command('autocmd ModeChanged v:n ++once close')
|
||||
feed('v')
|
||||
command('enew')
|
||||
assert_alive()
|
||||
end)
|
25
test/old/testdir/test_crash.vim
Normal file
25
test/old/testdir/test_crash.vim
Normal file
@ -0,0 +1,25 @@
|
||||
" Some tests, that used to crash Vim
|
||||
source check.vim
|
||||
source screendump.vim
|
||||
|
||||
CheckScreendump
|
||||
|
||||
func Test_crash1()
|
||||
" The following used to crash Vim
|
||||
let opts = #{wait_for_ruler: 0}
|
||||
let args = ' -u NONE -i NONE -n -e -s -S '
|
||||
let buf = RunVimInTerminal(args .. ' crash/poc_huaf1', opts)
|
||||
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
||||
exe buf .. "bw!"
|
||||
|
||||
let buf = RunVimInTerminal(args .. ' crash/poc_huaf2', opts)
|
||||
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
||||
exe buf .. "bw!"
|
||||
|
||||
let buf = RunVimInTerminal(args .. ' crash/poc_huaf3', opts)
|
||||
call VerifyScreenDump(buf, 'Test_crash_01', {})
|
||||
exe buf .. "bw!"
|
||||
|
||||
endfunc
|
||||
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
Loading…
Reference in New Issue
Block a user