patch 9.1.1400: [security]: use-after-free when evaluating tuple fails
Problem: [security]: use-after-free when evaluating tuple fails
Solution: return early in case of an error (Yegappan Lakshmanan)
closes: #17351
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/eval.c b/src/eval.c
index 530cc95..bbfe566 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -5000,6 +5000,8 @@
else
{
ret = eval1(arg, rettv, evalarg); // recursive!
+ if (ret != OK)
+ return ret;
*arg = skipwhite_and_linebreak(*arg, evalarg);
diff --git a/src/testdir/test_tuple.vim b/src/testdir/test_tuple.vim
index 875031f..e767851 100644
--- a/src/testdir/test_tuple.vim
+++ b/src/testdir/test_tuple.vim
@@ -1575,6 +1575,17 @@
call v9.CheckSourceSuccess(lines)
endfunc
+" Test for evaluating a recursive tuple that results in an error
+func Test_recursive_tuple_eval_fails()
+ let lines =<< trim END
+ call assert_fails(((((((((((((((('tag xyz', func2(pat, flags, infn)
+ END
+ call v9.CheckSourceLegacyAndVim9Failure(lines, [
+ \ 'E121: Undefined variable: pat',
+ \ 'E1001: Variable not found: pat',
+ \ 'E121: Undefined variable: pat'])
+endfunc
+
" Test for add() with a tuple
func Test_tuple_add()
let lines =<< trim END
diff --git a/src/version.c b/src/version.c
index 570bfe4..a6c749d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -710,6 +710,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1400,
+/**/
1399,
/**/
1398,