Commit: patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

[Christian Brabandt]

patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Commit: https://github.com/vim/vim/commit/2101230f4013860dbafcb0cab3f4e6bc92fb6f35
Author: zeertzjq <zeer...@outlook.com>
Date: Sun Feb 2 08:55:57 2025 +0100

patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Problem: heap-use-after-free and stack-use-after-scope with :14verbose
when using :return and :try (after 9.1.1063).
Solution: Move back the vim_free(tofree) and the scope of numbuf[].
(zeertzjq)

closes: #16563

Signed-off-by: zeertzjq <zeer...@outlook.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/testdir/test_user_func.vim b/src/testdir/test_user_func.vim
index 99ac90662..bae98ed1f 100644
--- a/src/testdir/test_user_func.vim
+++ b/src/testdir/test_user_func.vim
@@ -987,4 +987,36 @@ func Test_func_curly_brace_invalid_name()
delfunc Fail
endfunc

+func Test_func_return_in_try_verbose()
+ func TryReturnList()
+ try
+ return [1, 2, 3]
+ endtry
+ endfunc
+ func TryReturnNumber()
+ try
+ return 123
+ endtry
+ endfunc
+ func TryReturnOverlongString()
+ try
+ return repeat('a', 9999)
+ endtry
+ endfunc
+
+ " This should not cause heap-use-after-free
+ call assert_match('
:return \[1, 2, 3\] made pending
',
+ \ execute('14verbose call TryReturnList()'))
+ " This should not cause stack-use-after-scope
+ call assert_match('
:return 123 made pending
',
+ \ execute('14verbose call TryReturnNumber()'))
+ " An overlong string is truncated
+ call assert_match('
:return a\{100,}\.\.\.',
+ \ execute('14verbose call TryReturnOverlongString()'))
+
+ delfunc TryReturnList
+ delfunc TryReturnNumber
+ delfunc TryReturnOverlongString
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/userfunc.c b/src/userfunc.c
index 81f1f284e..0cdfa3879 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -682,12 +682,12 @@ make_ufunc_name_readable(char_u *name, char_u *buf, size_t bufsize)
return buf;
}

-/*
- * Get a name for a lambda. Returned in static memory.
- */
static char_u lambda_name[8 + NUMBUFLEN];
static size_t lambda_namelen = 0;

+/*
+ * Get a name for a lambda. Returned in static memory.
+ */
char_u *
get_lambda_name(void)
{
@@ -6820,17 +6820,13 @@ discard_pending_return(void *rettv)
get_return_cmd(void *rettv)
{
char_u *s = NULL;
+ char_u *tofree = NULL;
+ char_u numbuf[NUMBUFLEN];
size_t slen = 0;
size_t IObufflen;

if (rettv != NULL)
- {
- char_u *tofree = NULL;
- char_u numbuf[NUMBUFLEN];
-
s = echo_string((typval_T *)rettv, &tofree, numbuf, 0);
- vim_free(tofree);
- }
if (s == NULL)
s = (char_u *)"";
else
@@ -6839,11 +6835,12 @@ get_return_cmd(void *rettv)
STRCPY(IObuff, ":return ");
STRNCPY(IObuff + 8, s, IOSIZE - 8);
IObufflen = 8 + slen;
- if (slen + 8 >= IOSIZE)
+ if (IObufflen >= IOSIZE)
{
STRCPY(IObuff + IOSIZE - 4, "...");
- IObufflen += 3;
+ IObufflen = IOSIZE - 1;
}
+ vim_free(tofree);
return vim_strnsave(IObuff, IObufflen);
}

diff --git a/src/version.c b/src/version.c
index 6f59af4e1..9519d6905 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1066,
/**/
1065,
/**/