patch 9.1.0647: [security] use-after-free in tagstack_clear_entry Problem: [security] use-after-free in tagstack_clear_entry (Suyue Guo ) Solution: Instead of manually calling vim_free() on each of the tagstack entries, let's use tagstack_clear_entry(), which will also free the stack, but using the VIM_CLEAR macro, which prevents a use-after-free by setting those pointers to NULL This addresses CVE-2024-41957 Github advisory: https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Thu Aug 01 20:16:51 2024 +0200
committer: Christian Brabandt <cb@256bit.org> Thu Aug 01 22:35:18 2024 +0200
tree: f127f5240f1a3070619e1635dd376e00411306f4
parent: 5b07213c0b365f2a7fcdd10c7e7cd00aae3560a5 [diff] [blame]
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index fd786e5..29061aa 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim

@@ -190,6 +190,12 @@
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/double_free'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 50)
+
   " clean up
   exe buf .. "bw!"
   bw!
commit	8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Thu Aug 01 20:16:51 2024 +0200
committer	Christian Brabandt <cb@256bit.org>	Thu Aug 01 22:35:18 2024 +0200
tree	f127f5240f1a3070619e1635dd376e00411306f4
parent	5b07213c0b365f2a7fcdd10c7e7cd00aae3560a5 [diff] [blame]