commit 28d71b566a29ceea3a2d05bcee9264ed5d630d42
author Yegappan Lakshmanan <yegappan@yahoo.com> Fri Jan 12 17:21:55 2024 +0100
committer Christian Brabandt <cb@256bit.org> Fri Jan 12 17:27:02 2024 +0100
tree 33c4636d5b8adf94766f6be78042ef463cbd3c31
parent 71d0ba07a33a750e9834cd42b7acc619043dedb1

patch 9.1.0017: [security]: use-after-free in eval1_emsg()

Problem:  use-after-free in eval1_emsg() when an empty
          line follows a lambda (by @yu3s)
Solution: only set evalarg->eval_using_cmdline = FALSE when
          the *arg pointer is not null

fixes: #13833
closes: #13841

Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/eval.c

diff --git a/src/eval.c b/src/eval.c
index 815d13d..bf053df 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -2699,6 +2699,9 @@
 /*
  * To be called after eval_next_non_blank() sets "getnext" to TRUE.
  * Only called for Vim9 script.
+ *
+ * If "arg" is not NULL, then the caller should assign the return value to
+ * "arg".
  */
     char_u *
 eval_next_line(char_u *arg, evalarg_T *evalarg)
@@ -2747,8 +2750,12 @@
     }
 
     // Advanced to the next line, "arg" no longer points into the previous
-    // line.
-    evalarg->eval_using_cmdline = FALSE;
+    // line.  The caller assigns the return value to "arg".
+    // If "arg" is NULL, then the return value is discarded.  In that case,
+    // "arg" still points to the previous line.  So don't reset
+    // "eval_using_cmdline".
+    if (arg != NULL)
+	evalarg->eval_using_cmdline = FALSE;
     return skipwhite(line);
 }