42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From fc68299d436cf87453e432daa77b6d545df4d7ed Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Sun, 3 Sep 2023 20:20:52 +0200
|
|
Subject: [PATCH 32/52] patch 9.0.1857: [security] heap-use-after-free in
|
|
is_qf_win()
|
|
|
|
Problem: heap-use-after-free in is_qf_win()
|
|
Solution: Check buffer is valid before accessing it
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/main.c | 2 +-
|
|
src/quickfix.c | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/main.c b/src/main.c
|
|
index cca53fe25..a40c3a666 100644
|
|
--- a/src/main.c
|
|
+++ b/src/main.c
|
|
@@ -1606,7 +1606,7 @@ getout(int exitval)
|
|
next_tp = tp->tp_next;
|
|
FOR_ALL_WINDOWS_IN_TAB(tp, wp)
|
|
{
|
|
- if (wp->w_buffer == NULL)
|
|
+ if (wp->w_buffer == NULL || !buf_valid(wp->w_buffer))
|
|
// Autocmd must have close the buffer already, skip.
|
|
continue;
|
|
buf = wp->w_buffer;
|
|
diff --git a/src/quickfix.c b/src/quickfix.c
|
|
index aa431ea10..a3d3e8fb7 100644
|
|
--- a/src/quickfix.c
|
|
+++ b/src/quickfix.c
|
|
@@ -4426,7 +4426,7 @@ is_qf_win(win_T *win, qf_info_T *qi)
|
|
// set to NULL.
|
|
// A window displaying a location list buffer will have the w_llist_ref
|
|
// pointing to the location list.
|
|
- if (bt_quickfix(win->w_buffer))
|
|
+ if (buf_valid(win->w_buffer) && bt_quickfix(win->w_buffer))
|
|
if ((IS_QF_STACK(qi) && win->w_llist_ref == NULL)
|
|
|| (IS_LL_STACK(qi) && win->w_llist_ref == qi))
|
|
return TRUE;
|