patch 9.0.2158: [security]: use-after-free in check_argument_type
Problem: [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
list
function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.
So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer
closes: #13652
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/userfunc.c b/src/userfunc.c
index e2b1bc3..410658b 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -2533,7 +2533,7 @@
VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_block_ids);
VIM_CLEAR(fp->uf_va_name);
- clear_type_list(&fp->uf_type_list);
+ clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
// Increment the refcount of this function to avoid it being freed
// recursively when the partial is freed.
@@ -5435,7 +5435,7 @@
{
VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_va_name);
- clear_type_list(&fp->uf_type_list);
+ clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
}
if (free_fp)
VIM_CLEAR(fp);