44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From e1dc9a627536304bc4f738c21e909ad9fcf3974c Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Sat, 2 Sep 2023 14:40:13 +0200
|
|
Subject: [PATCH 13/52] patch 9.0.1840: [security] use-after-free in do_ecmd
|
|
|
|
Problem: use-after-free in do_ecmd
|
|
Solution: Verify oldwin pointer after reset_VIsual()
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/ex_cmds.c | 14 ++++++++++----
|
|
1 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
|
|
index 20d4d9a2e..9348b4edd 100644
|
|
--- a/src/ex_cmds.c
|
|
+++ b/src/ex_cmds.c
|
|
@@ -2603,12 +2603,18 @@ do_ecmd(
|
|
goto theend;
|
|
}
|
|
|
|
- /*
|
|
- * End Visual mode before switching to another buffer, so the text can be
|
|
- * copied into the GUI selection buffer.
|
|
- */
|
|
+
|
|
+ // End Visual mode before switching to another buffer, so the text can be
|
|
+ // copied into the GUI selection buffer.
|
|
+ // Careful: may trigger ModeChanged() autocommand
|
|
+
|
|
+ // Should we block autocommands here?
|
|
reset_VIsual();
|
|
|
|
+ // autocommands freed window :(
|
|
+ if (oldwin != NULL && !win_valid(oldwin))
|
|
+ oldwin = NULL;
|
|
+
|
|
#if defined(FEAT_EVAL)
|
|
if ((command != NULL || newlnum > (linenr_T)0)
|
|
&& *get_vim_var_str(VV_SWAPCOMMAND) == NUL)
|
|
--
|
|
2.33.0
|
|
|