patch 9.0.2000: Vim9: use-after-free in deep call stack Problem: Vim9: use-after-free in deep call stack Solution: Get the objct pointer from execution stack closes: #13296 Signed-off-by: Christian Brabandt <cb@256bit.org> Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>

commit: 1087b8c29ab521106c5b6cc85d5b38244f0d9c1d [log] [tgz]
author: Yegappan Lakshmanan <yegappan@yahoo.com> Sat Oct 07 22:03:18 2023 +0200
committer: Christian Brabandt <cb@256bit.org> Sat Oct 07 22:03:18 2023 +0200
tree: 115f15c629ccea8411ef839b4c184502bc2cf8ca
parent: 2a281ccca017fb5e8ffd20a86aa390431224a2fd [diff] [blame]
diff --git a/src/vim9execute.c b/src/vim9execute.c
index f237132..8262822 100644
--- a/src/vim9execute.c
+++ b/src/vim9execute.c

@@ -559,6 +559,12 @@
 				     arg_to_add + STACK_FRAME_SIZE + varcount))
 	return FAIL;
 
+    // The object pointer is in the execution typval stack.  The GA_GROW call
+    // above may have reallocated the execution typval stack.  So the object
+    // pointer may not be valid anymore.  Get the object pointer again from the
+    // execution stack.
+    obj = STACK_TV_BOT(0) - argcount - vararg_count - 1;
+
     // If depth of calling is getting too high, don't execute the function.
     if (funcdepth_increment() == FAIL)
 	return FAIL;
commit	1087b8c29ab521106c5b6cc85d5b38244f0d9c1d	[log] [tgz]
author	Yegappan Lakshmanan <yegappan@yahoo.com>	Sat Oct 07 22:03:18 2023 +0200
committer	Christian Brabandt <cb@256bit.org>	Sat Oct 07 22:03:18 2023 +0200
tree	115f15c629ccea8411ef839b4c184502bc2cf8ca
parent	2a281ccca017fb5e8ffd20a86aa390431224a2fd [diff] [blame]