neovim

Neovim text editor
git clone https://git.dasho.dev/neovim.git
Log | Files | Refs | README
commit 82ac8294c22a15899548a1cb408ca114a598f434
parent b853ef770a25fcd91def6c5016d65c336897c2cc
Author: zeertzjq <zeertzjq@outlook.com>
Date:   Sun,  2 Feb 2025 16:00:04 +0800

vim-patch:9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Problem:  heap-use-after-free and stack-use-after-scope with :14verbose
          when using :return and :try (after 9.1.1063).
Solution: Move back the vim_free(tofree) and the scope of numbuf[].
          (zeertzjq)

closes: vim/vim#16563

https://github.com/vim/vim/commit/2101230f4013860dbafcb0cab3f4e6bc92fb6f35

Diffstat:

Msrc/nvim/eval/userfunc.c | 8++++----


Mtest/old/testdir/test_user_func.vim | 32++++++++++++++++++++++++++++++++


2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/src/nvim/eval/userfunc.c b/src/nvim/eval/userfunc.c
@@ -3672,12 +3672,11 @@ bool do_return(exarg_T *eap, bool reanimate, bool is_cmd, void *rettv)
 char *get_return_cmd(void *rettv)
 {
   char *s = NULL;
+  char *tofree = NULL;
   size_t slen = 0;
 
   if (rettv != NULL) {
-    char *tofree = NULL;
     tofree = s = encode_tv2echo((typval_T *)rettv, NULL);
-    xfree(tofree);
   }
   if (s == NULL) {
     s = "";
@@ -3688,10 +3687,11 @@ char *get_return_cmd(void *rettv)
   xstrlcpy(IObuff, ":return ", IOSIZE);
   xstrlcpy(IObuff + 8, s, IOSIZE - 8);
   size_t IObufflen = 8 + slen;
-  if (slen + 8 >= IOSIZE) {
+  if (IObufflen >= IOSIZE) {
     STRCPY(IObuff + IOSIZE - 4, "...");
-    IObufflen += 3;
+    IObufflen = IOSIZE - 1;
   }
+  xfree(tofree);
   return xstrnsave(IObuff, IObufflen);
 }
 
diff --git a/test/old/testdir/test_user_func.vim b/test/old/testdir/test_user_func.vim
@@ -910,4 +910,36 @@ func Test_func_curly_brace_invalid_name()
   delfunc Fail
 endfunc
 
+func Test_func_return_in_try_verbose()
+  func TryReturnList()
+    try
+      return [1, 2, 3]
+    endtry
+  endfunc
+  func TryReturnNumber()
+    try
+      return 123
+    endtry
+  endfunc
+  func TryReturnOverlongString()
+    try
+      return repeat('a', 9999)
+    endtry
+  endfunc
+
+  " This should not cause heap-use-after-free
+  call assert_match('\n:return \[1, 2, 3\] made pending\n',
+                  \ execute('14verbose call TryReturnList()'))
+  " This should not cause stack-use-after-scope
+  call assert_match('\n:return 123 made pending\n',
+                  \ execute('14verbose call TryReturnNumber()'))
+  " An overlong string is truncated
+  call assert_match('\n:return a\{100,}\.\.\.',
+                  \ execute('14verbose call TryReturnOverlongString()'))
+
+  delfunc TryReturnList
+  delfunc TryReturnNumber
+  delfunc TryReturnOverlongString
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab