patch 9.0.1988: Vim9: potential use-after-free for class members
Problem: Vim9: potential use-after-free for class members
Solution: Use the class-related grow array for storing the
member type instead of using a temporary type
list grow array
Use the type list grow array associated with the class than using a
temporary type list grow array to allocate the class member type.
For simple types, a predefined type is used. For complex types, the type
is dynamically allocated from a grow array. For class variables, the
type grow array in the class should be used. So that the lifetime of the
type is same as the lifetime of the class.
closes: #13279
Signed-off-by: Christian Brabandt <cb@256bit.org>
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
diff --git a/src/vim9class.c b/src/vim9class.c
index ce23160..925149e 100644
--- a/src/vim9class.c
+++ b/src/vim9class.c
@@ -1152,12 +1152,8 @@
* and initialize it.
*/
static void
-add_class_members(class_T *cl, exarg_T *eap)
+add_class_members(class_T *cl, exarg_T *eap, garray_T *type_list_gap)
{
- garray_T type_list;
-
- ga_init2(&type_list, sizeof(type_T *), 10);
-
// Allocate a typval for each class member and initialize it.
cl->class_members_tv = ALLOC_CLEAR_MULT(typval_T,
cl->class_class_member_count);
@@ -1178,8 +1174,9 @@
&& etv->v_type != VAR_SPECIAL)
// If the member variable type is not yet set, then use
// the initialization expression type.
- m->ocm_type = typval2type(etv, get_copyID(), &type_list,
- TVTT_DO_MEMBER|TVTT_MORE_SPECIFIC);
+ m->ocm_type = typval2type(etv, get_copyID(),
+ type_list_gap,
+ TVTT_DO_MEMBER|TVTT_MORE_SPECIFIC);
*tv = *etv;
vim_free(etv);
}
@@ -1191,8 +1188,6 @@
tv->vval.v_string = NULL;
}
}
-
- clear_type_list(&type_list);
}
/*
@@ -1953,7 +1948,7 @@
// Allocate a typval for each class member and initialize it.
if (is_class && cl->class_class_member_count > 0)
- add_class_members(cl, eap);
+ add_class_members(cl, eap, &type_list);
int have_new = FALSE;
ufunc_T *class_func = NULL;