Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / 25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a^! / .
commit25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a[log] [tgz]
authorChristian Brabandt <cb@256bit.org>Tue Nov 14 19:31:34 2023 +0100
committerChristian Brabandt <cb@256bit.org>Thu Nov 16 22:04:00 2023 +0100
tree9b56e90635d6bc6b124bda1d179348bcd6a2cf8d
parent67abf1592c83c910c7815478f67e0a8989d51417 [diff]
patch 9.0.2106: [security]: Use-after-free in win_close()

Problem:  [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it

If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.

Add a test to trigger ASAN in CI

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/testdir/crash/poc1 b/src/testdir/crash/poc1
new file mode 100644
index 0000000..ec223f1
--- /dev/null
+++ b/src/testdir/crash/poc1
Binary files differ

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 5cd07e2..b093b05 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim

@@ -110,6 +110,39 @@
   call delete('X_crash1_result.txt')
 endfunc
 
+func Test_crash1_2()
+  CheckNotBSD
+  CheckExecutable dash
+
+  " The following used to crash Vim
+  let opts = #{cmd: 'sh'}
+  let vim  = GetVimProg()
+  let result = 'X_crash1_1_result.txt'
+
+  let buf = RunVimInTerminal('sh', opts)
+
+  let file = 'crash/poc1'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 1: [OK]" > '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
+  " clean up
+  exe buf .. "bw!"
+
+  exe "sp " .. result
+
+  let expected = [
+      \ 'crash 1: [OK]',
+      \ ]
+
+  call assert_equal(expected, getline(1, '$'))
+  bw!
+
+  call delete(result)
+endfunc
+
 func Test_crash2()
   " The following used to crash Vim
   let opts = #{wait_for_ruler: 0, rows: 20}

diff --git a/src/version.c b/src/version.c
index f9d1593..ec02198 100644
--- a/src/version.c
+++ b/src/version.c

@@ -705,6 +705,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2106,
+/**/
     2105,
 /**/
     2104,

diff --git a/src/window.c b/src/window.c
index f77ede3..55ce31c 100644
--- a/src/window.c
+++ b/src/window.c

@@ -2682,6 +2682,8 @@
 	    reset_VIsual_and_resel();	// stop Visual mode
 
 	    other_buffer = TRUE;
+	    if (!win_valid(win))
+		return FAIL;
 	    win->w_closing = TRUE;
 	    apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, FALSE, curbuf);
 	    if (!win_valid(win))