Commit: patch 9.1.1982: Use after free with redraw_listener_add()

Mon, 15 Dec 2025 11:15:51 -0800 

patch 9.1.1982: Use after free with redraw_listener_add()

Commit: 
https://github.com/vim/vim/commit/eb5995a8764418359b979093f3af06f03ac7de6e
Author: Foxe Chen <[email protected]>
Date:   Mon Dec 15 19:58:54 2025 +0100

    patch 9.1.1982: Use after free with redraw_listener_add()
    
    Problem:  Use after free with redraw_listener_add() (after: v9.1.1976)
    Solution: Copy Callbacks into listener struct (Foxe Chen)
    
    closes: #18926
    
    Signed-off-by: Foxe Chen <[email protected]>
    Signed-off-by: Christian Brabandt <[email protected]>

diff --git a/src/drawscreen.c b/src/drawscreen.c
index 6e37ccbab..ba6901d08 100644
--- a/src/drawscreen.c
+++ b/src/drawscreen.c
@@ -3479,7 +3479,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
            vim_free(rln);
            return;
        }
-       set_callback(&rln->rl_callbacks.on_start, &cb);
+       copy_callback(&rln->rl_callbacks.on_start, &cb);
        free_callback(&cb);
        clear_tv(&tv);
        got_one = true;
@@ -3496,7 +3496,7 @@ f_redraw_listener_add(typval_T *argvars, typval_T *rettv)
            vim_free(rln);
            return;
        }
-       set_callback(&rln->rl_callbacks.on_end, &cb);
+       copy_callback(&rln->rl_callbacks.on_end, &cb);
        free_callback(&cb);
        clear_tv(&tv);
        got_one = true;
diff --git a/src/testdir/test_listener.vim b/src/testdir/test_listener.vim
index 4b073af07..d3475cbc4 100644
--- a/src/testdir/test_listener.vim
+++ b/src/testdir/test_listener.vim
@@ -774,4 +774,12 @@ func Test_redraw_remove_in_callback()
   call StopVimInTerminal(buf)
 endfunc
 
+func s:OnRedraw()
+endfunc
+
+" Test if partial is correctly ref'ed and doesn't cause use afte free error
+func Test_redraw_listener_partial()
+  call redraw_listener_add(#{on_start: function("s:OnRedraw", [1])})
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 92005c716..a3e2f5127 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1982,
 /**/
     1981,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1vVE2B-00GmrG-Mj%40256bit.org.

Raspunde prin e-mail lui