Commit: patch 9.1.1400: [security]: use-after-free when evaluating tuple fails
1 view
Skip to first unread message
Christian Brabandt
May 21, 2025, 3:00:18 PM5/21/25
to vim...@googlegroups.com
patch 9.1.1400: [security]: use-after-free when evaluating tuple fails
Commit: https://github.com/vim/vim/commit/1307743697bbc46e1518abfea7f89caa95bcaf97
Author: Yegappan Lakshmanan <yega...@yahoo.com>
Date: Wed May 21 20:52:44 2025 +0200
patch 9.1.1400: [security]: use-after-free when evaluating tuple fails
Problem: [security]: use-after-free when evaluating tuple fails
Solution: return early in case of an error (Yegappan Lakshmanan)
closes: #17351
Signed-off-by: Yegappan Lakshmanan <yega...@yahoo.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/eval.c b/src/eval.c
index 530cc95fd..bbfe566fa 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -5000,6 +5000,8 @@ eval9_nested_expr(
else
{
ret = eval1(arg, rettv, evalarg); // recursive!
+ if (ret != OK)
+ return ret;
*arg = skipwhite_and_linebreak(*arg, evalarg);
diff --git a/src/testdir/test_tuple.vim b/src/testdir/test_tuple.vim
index 875031f2c..e767851af 100644
--- a/src/testdir/test_tuple.vim
+++ b/src/testdir/test_tuple.vim
@@ -1575,6 +1575,17 @@ func Test_try_finally_with_tuple_return()
call v9.CheckSourceSuccess(lines)
endfunc
+" Test for evaluating a recursive tuple that results in an error
+func Test_recursive_tuple_eval_fails()
+ let lines =<< trim END
+ call assert_fails(((((((((((((((('tag xyz', func2(pat, flags, infn)
+ END
+ call v9.CheckSourceLegacyAndVim9Failure(lines, [
+ \ 'E121: Undefined variable: pat',
+ \ 'E1001: Variable not found: pat',
+ \ 'E121: Undefined variable: pat'])
+endfunc
+
" Test for add() with a tuple
func Test_tuple_add()
let lines =<< trim END
diff --git a/src/version.c b/src/version.c
index 570bfe494..a6c749dc0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1400,
/**/
1399,
/**/
Commit: https://github.com/vim/vim/commit/1307743697bbc46e1518abfea7f89caa95bcaf97
Author: Yegappan Lakshmanan <yega...@yahoo.com>
Date: Wed May 21 20:52:44 2025 +0200
patch 9.1.1400: [security]: use-after-free when evaluating tuple fails
Problem: [security]: use-after-free when evaluating tuple fails
Solution: return early in case of an error (Yegappan Lakshmanan)
closes: #17351
Signed-off-by: Yegappan Lakshmanan <yega...@yahoo.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/eval.c b/src/eval.c
index 530cc95fd..bbfe566fa 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -5000,6 +5000,8 @@ eval9_nested_expr(
else
{
ret = eval1(arg, rettv, evalarg); // recursive!
+ if (ret != OK)
+ return ret;
*arg = skipwhite_and_linebreak(*arg, evalarg);
diff --git a/src/testdir/test_tuple.vim b/src/testdir/test_tuple.vim
index 875031f2c..e767851af 100644
--- a/src/testdir/test_tuple.vim
+++ b/src/testdir/test_tuple.vim
@@ -1575,6 +1575,17 @@ func Test_try_finally_with_tuple_return()
call v9.CheckSourceSuccess(lines)
endfunc
+" Test for evaluating a recursive tuple that results in an error
+func Test_recursive_tuple_eval_fails()
+ let lines =<< trim END
+ call assert_fails(((((((((((((((('tag xyz', func2(pat, flags, infn)
+ END
+ call v9.CheckSourceLegacyAndVim9Failure(lines, [
+ \ 'E121: Undefined variable: pat',
+ \ 'E1001: Variable not found: pat',
+ \ 'E121: Undefined variable: pat'])
+endfunc
+
" Test for add() with a tuple
func Test_tuple_add()
let lines =<< trim END
diff --git a/src/version.c b/src/version.c
index 570bfe494..a6c749dc0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -709,6 +709,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1400,
/**/
1399,
/**/
Reply all
Reply to author
Forward
0 new messages