Commit: patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
1 view
Skip to first unread message
Christian Brabandt
5:00 PM (5 hours ago) 5:00 PM
to vim...@googlegroups.com
patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
Commit: https://github.com/vim/vim/commit/f202f6ca95220cd7915e80bb8d81e0e70082faaa
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Wed Jun 10 20:55:06 2026 +0000
patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
Problem: use-after-free in popup_getoptions() on dict_add() failure
Solution: Set b to NULL (Yasuhiro Matsumoto).
When dict_add() failed, dictitem_free() unref'd and freed the blob, but
the error cleanup then read the freed blob's refcount and could free it
again. Clear the pointer after dictitem_free().
closes: #20464
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/popupwin.c b/src/popupwin.c
index 7610ae538..351c86556 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -5433,7 +5433,9 @@ f_popup_getoptions(typval_T *argvars, typval_T *rettv)
++b->bv_refcount;
if (dict_add(idict, item) == FAIL)
{
+ // dictitem_free() already freed the blob
dictitem_free(item);
+ b = NULL;
ok = FALSE;
}
}
diff --git a/src/version.c b/src/version.c
index e100c8a4b..8d6afb613 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 618,
/**/
617,
/**/
Commit: https://github.com/vim/vim/commit/f202f6ca95220cd7915e80bb8d81e0e70082faaa
Author: Yasuhiro Matsumoto <matt...@gmail.com>
Date: Wed Jun 10 20:55:06 2026 +0000
patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
Problem: use-after-free in popup_getoptions() on dict_add() failure
Solution: Set b to NULL (Yasuhiro Matsumoto).
When dict_add() failed, dictitem_free() unref'd and freed the blob, but
the error cleanup then read the freed blob's refcount and could free it
again. Clear the pointer after dictitem_free().
closes: #20464
Signed-off-by: Yasuhiro Matsumoto <matt...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/popupwin.c b/src/popupwin.c
index 7610ae538..351c86556 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -5433,7 +5433,9 @@ f_popup_getoptions(typval_T *argvars, typval_T *rettv)
++b->bv_refcount;
if (dict_add(idict, item) == FAIL)
{
+ // dictitem_free() already freed the blob
dictitem_free(item);
+ b = NULL;
ok = FALSE;
}
}
diff --git a/src/version.c b/src/version.c
index e100c8a4b..8d6afb613 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 618,
/**/
617,
/**/
Reply all
Reply to author
Forward
0 new messages