Commit: patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'
2 views
Skip to first unread message
Christian Brabandt
May 27, 2025, 3:00:19 PM5/27/25
to vim...@googlegroups.com
patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'
Commit: https://github.com/vim/vim/commit/ac83b3c373985080eda3a07a76a556b168da4abe
Author: Christian Brabandt <c...@256bit.org>
Date: Tue May 27 20:49:34 2025 +0200
patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'
Problem: potential use-after free when there is an error in 'tabpanel'
option (@char101, after v9.1.1391)
Solution: check if p_tpl has been set to null before accessing it again.
While at it slightly change starts_with_percent_and_bang() and use the
existing opt_name and opt_scope variables.
fixes: #17364
closes: #17388
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tabpanel.c b/src/tabpanel.c
index bb7a8742b..599e434cb 100644
--- a/src/tabpanel.c
+++ b/src/tabpanel.c
@@ -530,8 +530,8 @@ starts_with_percent_and_bang(tabpanel_T *pargs)
if (did_emsg > did_emsg_before)
{
usefmt = NULL;
- set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"",
- OPT_FREE | OPT_GLOBAL, SID_ERROR);
+ set_string_option_direct(opt_name, -1, (char_u *)"",
+ OPT_FREE | opt_scope, SID_ERROR);
}
}
#endif
@@ -641,6 +641,12 @@ do_by_tplmode(
args.prow = &row;
args.pcol = &col;
draw_tabpanel_userdefined(tplmode, &args);
+ // p_tpl could have been freed in build_stl_str_hl()
+ if (p_tpl == NULL || *p_tpl == NUL)
+ {
+ usefmt = NULL;
+ break;
+ }
p += i;
i = 0;
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index 46ebe3b62..e0a6a8c61 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -529,6 +529,14 @@ function Test_tabpanel_error()
catch /^Vim\%(( \+)\)\=:E117:/
endtry
call assert_true(empty(&tabpanel))
+
+ try
+ set tabpanel=%{my#util#TabPanelHighlight}%t
+ redraw!
+ catch /^Vim\%(( \+)\)\=:E121:/
+ endtry
+ call assert_true(empty(&tabpanel))
+
set tabpanel&vim
set showtabpanel&vim
endfunc
diff --git a/src/version.c b/src/version.c
index 5366f3f2e..a788db1af 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1415,
/**/
1414,
/**/
Commit: https://github.com/vim/vim/commit/ac83b3c373985080eda3a07a76a556b168da4abe
Author: Christian Brabandt <c...@256bit.org>
Date: Tue May 27 20:49:34 2025 +0200
patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'
Problem: potential use-after free when there is an error in 'tabpanel'
option (@char101, after v9.1.1391)
Solution: check if p_tpl has been set to null before accessing it again.
While at it slightly change starts_with_percent_and_bang() and use the
existing opt_name and opt_scope variables.
fixes: #17364
closes: #17388
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/tabpanel.c b/src/tabpanel.c
index bb7a8742b..599e434cb 100644
--- a/src/tabpanel.c
+++ b/src/tabpanel.c
@@ -530,8 +530,8 @@ starts_with_percent_and_bang(tabpanel_T *pargs)
if (did_emsg > did_emsg_before)
{
usefmt = NULL;
- set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"",
- OPT_FREE | OPT_GLOBAL, SID_ERROR);
+ set_string_option_direct(opt_name, -1, (char_u *)"",
+ OPT_FREE | opt_scope, SID_ERROR);
}
}
#endif
@@ -641,6 +641,12 @@ do_by_tplmode(
args.prow = &row;
args.pcol = &col;
draw_tabpanel_userdefined(tplmode, &args);
+ // p_tpl could have been freed in build_stl_str_hl()
+ if (p_tpl == NULL || *p_tpl == NUL)
+ {
+ usefmt = NULL;
+ break;
+ }
p += i;
i = 0;
diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim
index 46ebe3b62..e0a6a8c61 100644
--- a/src/testdir/test_tabpanel.vim
+++ b/src/testdir/test_tabpanel.vim
@@ -529,6 +529,14 @@ function Test_tabpanel_error()
catch /^Vim\%(( \+)\)\=:E117:/
endtry
call assert_true(empty(&tabpanel))
+
+ try
+ set tabpanel=%{my#util#TabPanelHighlight}%t
+ redraw!
+ catch /^Vim\%(( \+)\)\=:E121:/
+ endtry
+ call assert_true(empty(&tabpanel))
+
set tabpanel&vim
set showtabpanel&vim
endfunc
diff --git a/src/version.c b/src/version.c
index 5366f3f2e..a788db1af 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1415,
/**/
1414,
/**/
Reply all
Reply to author
Forward
0 new messages