29 lines
998 B
Diff
29 lines
998 B
Diff
From ee9166eb3b41846661a39b662dc7ebe8b5e15139 Mon Sep 17 00:00:00 2001
|
|
From: Christian Brabandt <cb@256bit.org>
|
|
Date: Sun, 3 Sep 2023 21:24:33 +0200
|
|
Subject: [PATCH 33/52] patch 9.0.1858: [security] heap use after free in
|
|
ins_compl_get_exp()
|
|
|
|
Problem: heap use after free in ins_compl_get_exp()
|
|
Solution: validate buffer before accessing it
|
|
|
|
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
|
---
|
|
src/insexpand.c | 2 +-
|
|
2 files changed, 1 insertions(+), 1 deletions(-)
|
|
create mode 100644 src/testdir/crash/poc_tagfunc.vim
|
|
|
|
diff --git a/src/insexpand.c b/src/insexpand.c
|
|
index 3cfdface4..b767b4efd 100644
|
|
--- a/src/insexpand.c
|
|
+++ b/src/insexpand.c
|
|
@@ -3840,7 +3840,7 @@ ins_compl_get_exp(pos_T *ini)
|
|
else
|
|
{
|
|
// Mark a buffer scanned when it has been scanned completely
|
|
- if (type == 0 || type == CTRL_X_PATH_PATTERNS)
|
|
+ if (buf_valid(st.ins_buf) && (type == 0 || type == CTRL_X_PATH_PATTERNS))
|
|
st.ins_buf->b_scanned = TRUE;
|
|
|
|
compl_started = FALSE;
|