vim-patch:9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose

Problem: heap-use-after-free and stack-use-after-scope with :14verbose when using :return and :try (after 9.1.1063). Solution: Move back the vim_free(tofree) and the scope of numbuf[]. (zeertzjq) closes: vim/vim#16563 2101230f40
2025-02-25 18:55:25 -06:00 · 2025-02-02 16:00:04 +08:00 · 2025-02-02 16:00:04 +08:00 · 82ac8294c2
commit 82ac8294c2
parent b853ef770a
2 changed files with 36 additions and 4 deletions
--- a/src/nvim/eval/userfunc.c
+++ b/src/nvim/eval/userfunc.c
@ -3672,12 +3672,11 @@ bool do_return(exarg_T *eap, bool reanimate, bool is_cmd, void *rettv)
 char *get_return_cmd(void *rettv)
 {
  char *s = NULL;
+  char *tofree = NULL;
  size_t slen = 0;

  if (rettv != NULL) {
-    char *tofree = NULL;
    tofree = s = encode_tv2echo((typval_T *)rettv, NULL);
-    xfree(tofree);
  }
  if (s == NULL) {
    s = "";
@ -3688,10 +3687,11 @@ char *get_return_cmd(void *rettv)
  xstrlcpy(IObuff, ":return ", IOSIZE);
  xstrlcpy(IObuff + 8, s, IOSIZE - 8);
  size_t IObufflen = 8 + slen;
-  if (slen + 8 >= IOSIZE) {
+  if (IObufflen >= IOSIZE) {
    STRCPY(IObuff + IOSIZE - 4, "...");
-    IObufflen += 3;
+    IObufflen = IOSIZE - 1;
  }
+  xfree(tofree);
  return xstrnsave(IObuff, IObufflen);
 }

--- a/test/old/testdir/test_user_func.vim
+++ b/test/old/testdir/test_user_func.vim
@ -910,4 +910,36 @@ func Test_func_curly_brace_invalid_name()
  delfunc Fail
 endfunc

+func Test_func_return_in_try_verbose()
+  func TryReturnList()
+    try
+      return [1, 2, 3]
+    endtry
+  endfunc
+  func TryReturnNumber()
+    try
+      return 123
+    endtry
+  endfunc
+  func TryReturnOverlongString()
+    try
+      return repeat('a', 9999)
+    endtry
+  endfunc
+
+  " This should not cause heap-use-after-free
+  call assert_match('\n:return \[1, 2, 3\] made pending\n',
+                  \ execute('14verbose call TryReturnList()'))
+  " This should not cause stack-use-after-scope
+  call assert_match('\n:return 123 made pending\n',
+                  \ execute('14verbose call TryReturnNumber()'))
+  " An overlong string is truncated
+  call assert_match('\n:return a\{100,}\.\.\.',
+                  \ execute('14verbose call TryReturnOverlongString()'))
+
+  delfunc TryReturnList
+  delfunc TryReturnNumber
+  delfunc TryReturnOverlongString
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab