double-free in dialog_changed() in Vim < v9.1.0648
==================================================
Date: 01.08.2024
Severity: Low
CVE: <not-yet-assigned>
CWE: Double Free (CWE-416)

When abandoning a buffer, Vim may ask the user what to do with the
modified buffer. If the user wants the changed buffer to be saved, Vim
may create a new Untitled file, if the buffer did not have a name yet.

However, when setting the buffer name to Unnamed, Vim will falsely free
a pointer twice, leading to a double-free and possibly later to a
heap-use-after-free, which can lead to a crash.

The Vim project would like to thank github user SuyueGuo for reporting this 
issue.

The issue has been fixed as of Vim patch v9.1.0648

URLs: https://github.com/vim/vim/commit/b29f4abcd4b3382fa746e
      https://github.com/vim/vim/security/GHSA-46pw-v7qw-xc2f

Thanks,
Chris
-- 
Denk immer daran, daß die Menge, die bei Deiner Krönung gejubelt hat,
auch klatschen wird, wenn man Dich köpft.
                -- Terry Pratchett, "Ab die Post"

Reply via email to