Commit: patch 9.1.1982: Use after free with redraw_listener_add()
5 views
Skip to first unread message
Christian Brabandt
Dec 15, 2025, 2:15:51 PM (22 hours ago) Dec 15
to vim...@googlegroups.com
patch 9.1.1982: Use after free with redraw_listener_add()
Commit: https://github.com/vim/vim/commit/eb5995a8764418359b979093f3af06f03ac7de6e
Author: Foxe Chen <chen...@gmail.com>
Date: Mon Dec 15 19:58:54 2025 +0100
patch 9.1.1982: Use after free with redraw_listener_add()
Problem: Use after free with redraw_listener_add() (after: v9.1.1976)
Solution: Copy Callbacks into listener struct (Foxe Chen)
closes: #18926
Signed-off-by: Foxe Chen <chen...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 6e37ccbab..ba6901d08 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -3479,7 +3479,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
vim_free(rln);
return;
}
- set_callback(&rln->rl_callbacks.on_start, &cb);
+ copy_callback(&rln->rl_callbacks.on_start, &cb);
free_callback(&cb);
clear_tv(&tv);
got_one = true;
@@ -3496,7 +3496,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
vim_free(rln);
return;
}
- set_callback(&rln->rl_callbacks.on_end, &cb);
+ copy_callback(&rln->rl_callbacks.on_end, &cb);
free_callback(&cb);
clear_tv(&tv);
got_one = true;
diff --git a/src/testdir/test_listener.vim b/src/testdir/test_listener.vim
index 4b073af07..d3475cbc4 100644
--- a/src/testdir/test_listener.vim
+++ b/src/testdir/test_listener.vim
@@ -774,4 +774,12 @@ func Test_redraw_remove_in_callback()
call StopVimInTerminal(buf)
endfunc
+func s:OnRedraw()
+endfunc
+
+" Test if partial is correctly ref'ed and doesn't cause use afte free error
+func Test_redraw_listener_partial()
+ call redraw_listener_add(#{on_start: function("s:OnRedraw", [1])})
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 92005c716..a3e2f5127 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1982,
/**/
1981,
/**/
Commit: https://github.com/vim/vim/commit/eb5995a8764418359b979093f3af06f03ac7de6e
Author: Foxe Chen <chen...@gmail.com>
Date: Mon Dec 15 19:58:54 2025 +0100
patch 9.1.1982: Use after free with redraw_listener_add()
Problem: Use after free with redraw_listener_add() (after: v9.1.1976)
Solution: Copy Callbacks into listener struct (Foxe Chen)
closes: #18926
Signed-off-by: Foxe Chen <chen...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/drawscreen.c b/src/drawscreen.c
index 6e37ccbab..ba6901d08 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -3479,7 +3479,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
vim_free(rln);
return;
}
- set_callback(&rln->rl_callbacks.on_start, &cb);
+ copy_callback(&rln->rl_callbacks.on_start, &cb);
free_callback(&cb);
clear_tv(&tv);
got_one = true;
@@ -3496,7 +3496,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
vim_free(rln);
return;
}
- set_callback(&rln->rl_callbacks.on_end, &cb);
+ copy_callback(&rln->rl_callbacks.on_end, &cb);
free_callback(&cb);
clear_tv(&tv);
got_one = true;
diff --git a/src/testdir/test_listener.vim b/src/testdir/test_listener.vim
index 4b073af07..d3475cbc4 100644
--- a/src/testdir/test_listener.vim
+++ b/src/testdir/test_listener.vim
@@ -774,4 +774,12 @@ func Test_redraw_remove_in_callback()
call StopVimInTerminal(buf)
endfunc
+func s:OnRedraw()
+endfunc
+
+" Test if partial is correctly ref'ed and doesn't cause use afte free error
+func Test_redraw_listener_partial()
+ call redraw_listener_add(#{on_start: function("s:OnRedraw", [1])})
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 92005c716..a3e2f5127 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1982,
/**/
1981,
/**/
Reply all
Reply to author
Forward
0 new messages