master

分支 (20)

标签 (16)

管理

管理

master

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP2

openEuler-20.03-LTS-SP4

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS

openEuler-20.03-LTS-SP3

openEuler-22.03-LTS-SP1

openEuler-23.09

openEuler-23.03

openEuler-22.09

sync-pr325-master-to-openEuler-22.09

openEuler-21.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0-base

openEuler1.0

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

vim
/
backport-CVE-2022-2862.patch

From 1889f499a4f248cd84e0e0bf6d0d820016774494 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 16 Aug 2022 19:34:44 +0100
Subject: [PATCH] patch 9.0.0221: accessing freed memory if compiling nested
 function fails

Problem:    Accessing freed memory if compiling nested function fails.
Solution:   Mess up the variable name so that it won't be found.
---
 src/testdir/test_vim9_func.vim | 12 ++++++++++++
 src/vim9compile.c              |  7 +++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 33a6615..426fde4 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -907,6 +907,18 @@ def Test_nested_function()
   v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3)
 enddef

+def Test_nested_function_fails()
+  var lines =<< trim END
+      def T()
+        def Func(g: string):string
+        enddef
+        Func()
+      enddef
+      silent! defcompile
+  END
+  v9.CheckScriptFailure(lines, 'E1069:')
+enddef
+
 def Test_not_nested_function()
   echo printf('%d',
       function('len')('xxx'))
diff --git a/src/vim9compile.c b/src/vim9compile.c
index b7f590e..fb39997 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -822,6 +822,7 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
     int		r = FAIL;
     compiletype_T   compile_type;
     isn_T	*funcref_isn = NULL;
+    lvar_T	*lvar = NULL;

     if (eap->forceit)
     {
@@ -928,9 +929,8 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
     else
     {
 	// Define a local variable for the function reference.
-	lvar_T	*lvar = reserve_local(cctx, func_name, name_end - name_start,
+	lvar = reserve_local(cctx, func_name, name_end - name_start,
 						    TRUE, ufunc->uf_func_type);
-
 	if (lvar == NULL)
 	    goto theend;
 	if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL)
@@ -949,6 +949,9 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free)
 	    && compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL)
     {
 	func_ptr_unref(ufunc);
+	if (lvar != NULL)
+	    // Now the local variable can't be used.
+	    *lvar->lv_name = '/';  // impossible value
 	goto theend;
     }

--
2.36.1