mirror of
https://github.com/neovim/neovim.git
synced 2024-09-17 20:58:20 -04:00
vim-patch:9.1.0728: [security]: heap-use-after-free in garbage collection with location list user data (#30377)
Problem: heap-use-after-free in garbage collection with location list
user data.
Solution: Mark user data as in use when no other window is referencing
the location list (zeertzjq)
fixes: neovim/neovim#30371
closes: vim/vim#15683
be4bd189d2
This commit is contained in:
parent
f2173b1aa2
commit
325d349f9d
@ -6875,7 +6875,8 @@ bool set_ref_in_quickfix(int copyID)
|
|||||||
// In a location list window and none of the other windows is
|
// In a location list window and none of the other windows is
|
||||||
// referring to this location list. Mark the location list
|
// referring to this location list. Mark the location list
|
||||||
// context as still in use.
|
// context as still in use.
|
||||||
if (mark_quickfix_ctx(win->w_llist_ref, copyID)) {
|
if (mark_quickfix_ctx(win->w_llist_ref, copyID)
|
||||||
|
|| mark_quickfix_user_data(win->w_llist_ref, copyID)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -4071,11 +4071,23 @@ func Test_ll_window_ctx()
|
|||||||
enew | only
|
enew | only
|
||||||
endfunc
|
endfunc
|
||||||
|
|
||||||
|
" Similar to the problem above, but for user data.
|
||||||
|
func Test_ll_window_user_data()
|
||||||
|
call setloclist(0, [#{bufnr: bufnr(), user_data: {}}])
|
||||||
|
lopen
|
||||||
|
wincmd t
|
||||||
|
close
|
||||||
|
call test_garbagecollect_now()
|
||||||
|
call feedkeys("\<CR>", 'tx')
|
||||||
|
call test_garbagecollect_now()
|
||||||
|
%bwipe!
|
||||||
|
endfunc
|
||||||
|
|
||||||
" The following test used to crash vim
|
" The following test used to crash vim
|
||||||
func Test_lfile_crash()
|
func Test_lfile_crash()
|
||||||
sp Xtest
|
sp Xtest
|
||||||
au QuickFixCmdPre * bw
|
au QuickFixCmdPre * bw
|
||||||
call assert_fails('lfile', 'E40')
|
call assert_fails('lfile', 'E40:')
|
||||||
au! QuickFixCmdPre
|
au! QuickFixCmdPre
|
||||||
endfunc
|
endfunc
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user