patch 9.1.1415: potential use-after free when there is an error in 'tabpanel' Problem: potential use-after free when there is an error in 'tabpanel' option (@char101, after v9.1.1391) Solution: check if p_tpl has been set to null before accessing it again. While at it slightly change starts_with_percent_and_bang() and use the existing opt_name and opt_scope variables. fixes: #17364 closes: #17388 Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: ac83b3c373985080eda3a07a76a556b168da4abe [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Tue May 27 20:49:34 2025 +0200
committer: Christian Brabandt <cb@256bit.org> Tue May 27 20:49:34 2025 +0200
tree: 7132367315926bee4d907274a7850f75d6984bb1
parent: f0c7090a3833f1c85b242a858e7d95a34456674c [diff] [blame]
diff --git a/src/tabpanel.c b/src/tabpanel.c
index bb7a874..599e434 100644
--- a/src/tabpanel.c
+++ b/src/tabpanel.c

@@ -530,8 +530,8 @@
 	if (did_emsg > did_emsg_before)
 	{
 	    usefmt = NULL;
-	    set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"",
-		    OPT_FREE | OPT_GLOBAL, SID_ERROR);
+	    set_string_option_direct(opt_name, -1, (char_u *)"",
+		    OPT_FREE | opt_scope, SID_ERROR);
 	}
     }
 #endif
@@ -641,6 +641,12 @@
 		args.prow = &row;
 		args.pcol = &col;
 		draw_tabpanel_userdefined(tplmode, &args);
+		// p_tpl could have been freed in build_stl_str_hl()
+		if (p_tpl == NULL || *p_tpl == NUL)
+		{
+		    usefmt = NULL;
+		    break;
+		}
 
 		p += i;
 		i = 0;
commit	ac83b3c373985080eda3a07a76a556b168da4abe	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Tue May 27 20:49:34 2025 +0200
committer	Christian Brabandt <cb@256bit.org>	Tue May 27 20:49:34 2025 +0200
tree	7132367315926bee4d907274a7850f75d6984bb1
parent	f0c7090a3833f1c85b242a858e7d95a34456674c [diff] [blame]