commit 2101230f4013860dbafcb0cab3f4e6bc92fb6f35
author zeertzjq <zeertzjq@outlook.com> Sun Feb 02 08:55:57 2025 +0100
committer Christian Brabandt <cb@256bit.org> Sun Feb 02 08:55:57 2025 +0100
tree d22795f6642495f0aa07b67f087cc18c3add62ad
parent 3a621188ee52badfe7aa783db12588a78dcd8ed6

patch 9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Problem:  heap-use-after-free and stack-use-after-scope with :14verbose
          when using :return and :try (after 9.1.1063).
Solution: Move back the vim_free(tofree) and the scope of numbuf[].
          (zeertzjq)

closes: #16563

Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/userfunc.c

diff --git a/src/userfunc.c b/src/userfunc.c
index 81f1f28..0cdfa38 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -682,12 +682,12 @@
     return buf;
 }
 
-/*
- * Get a name for a lambda.  Returned in static memory.
- */
 static char_u	lambda_name[8 + NUMBUFLEN];
 static size_t	lambda_namelen = 0;
 
+/*
+ * Get a name for a lambda.  Returned in static memory.
+ */
     char_u *
 get_lambda_name(void)
 {
@@ -6820,17 +6820,13 @@
 get_return_cmd(void *rettv)
 {
     char_u	*s = NULL;
+    char_u	*tofree = NULL;
+    char_u	numbuf[NUMBUFLEN];
     size_t	slen = 0;
     size_t	IObufflen;
 
     if (rettv != NULL)
-    {
-	char_u	*tofree = NULL;
-	char_u	numbuf[NUMBUFLEN];
-
 	s = echo_string((typval_T *)rettv, &tofree, numbuf, 0);
-	vim_free(tofree);
-    }
     if (s == NULL)
 	s = (char_u *)"";
     else
@@ -6839,11 +6835,12 @@
     STRCPY(IObuff, ":return ");
     STRNCPY(IObuff + 8, s, IOSIZE - 8);
     IObufflen = 8 + slen;
-    if (slen + 8 >= IOSIZE)
+    if (IObufflen >= IOSIZE)
     {
 	STRCPY(IObuff + IOSIZE - 4, "...");
-	IObufflen += 3;
+	IObufflen = IOSIZE - 1;
     }
+    vim_free(tofree);
     return vim_strnsave(IObuff, IObufflen);
 }