Re: [patch] Use-after-free when loading a colorscheme

[Bram Moolenaar]

Christian Brabandt wrote:

> the Neovim¹ project detected a use-after-free when loading a 
> colorscheme.
> 
> Credit goes to oni-link from the Neovim project. He has also clearly 
> explained in the pull request², how that can happen, so I just skip the 
> explanation. I have just slightly adapted the code to match Vims style.
> 
> diff --git a/src/syntax.c b/src/syntax.c
> --- a/src/syntax.c
> +++ b/src/syntax.c
> @@ -6988,8 +6988,17 @@ init_highlight(both, reset)
>       * and 'background' or 't_Co' is changed.
>       */
>      p = get_var_value((char_u *)"g:colors_name");
> -    if (p != NULL && load_colors(p) == OK)
> -       return;
> +    if (p != NULL)
> +    {
> +       /* Value of g:colors_name could be freed in load_colors()
> +        * and make p invalid, so copy it. */
> +       char_u *copy_p = vim_strsave(p);
> +       if (load_colors(copy_p))
> +       {
> +           vim_free(copy_p);
> +           return;
> +       }
> +    }
>  #endif
> 
>      /*
> 
> ¹ 
> https://github.com/oni-link/neovim/commit/b7e7eb28b19ad43ed3aa4d2c570273f511cca34b
> ² https://github.com/neovim/neovim/pull/2138

Thanks.  It introduces three new problems though:
- vim_strsave() may return NULL.  We don't want to crash when out of
  memory.
- The check for OK is lost.
- When load_colors() returns FALSE memory is leaked.

It's easy to fix these, I'll make a patch like that.

-- 
ARTHUR:    Well, it doesn't matter.  Will you go and tell your master that
           Arthur from the Court of Camelot is here.
GUARD #1:  Listen, in order to maintain air-speed velocity, a swallow
           needs to beat its wings 43 times every second, right?
ARTHUR:    Please!
                                  The Quest for the Holy Grail (Monty Python)

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.