patch 9.1.1415: potential use-after free when there is an error in 'tabpanel'
Commit: https://github.com/vim/vim/commit/ac83b3c373985080eda3a07a76a556b168da4abe Author: Christian Brabandt <c...@256bit.org> Date: Tue May 27 20:49:34 2025 +0200 patch 9.1.1415: potential use-after free when there is an error in 'tabpanel' Problem: potential use-after free when there is an error in 'tabpanel' option (@char101, after v9.1.1391) Solution: check if p_tpl has been set to null before accessing it again. While at it slightly change starts_with_percent_and_bang() and use the existing opt_name and opt_scope variables. fixes: #17364 closes: #17388 Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/tabpanel.c b/src/tabpanel.c index bb7a8742b..599e434cb 100644 --- a/src/tabpanel.c +++ b/src/tabpanel.c @@ -530,8 +530,8 @@ starts_with_percent_and_bang(tabpanel_T *pargs) if (did_emsg > did_emsg_before) { usefmt = NULL; - set_string_option_direct((char_u *)"tabpanel", -1, (char_u *)"", - OPT_FREE | OPT_GLOBAL, SID_ERROR); + set_string_option_direct(opt_name, -1, (char_u *)"", + OPT_FREE | opt_scope, SID_ERROR); } } #endif @@ -641,6 +641,12 @@ do_by_tplmode( args.prow = &row; args.pcol = &col; draw_tabpanel_userdefined(tplmode, &args); + // p_tpl could have been freed in build_stl_str_hl() + if (p_tpl == NULL || *p_tpl == NUL) + { + usefmt = NULL; + break; + } p += i; i = 0; diff --git a/src/testdir/test_tabpanel.vim b/src/testdir/test_tabpanel.vim index 46ebe3b62..e0a6a8c61 100644 --- a/src/testdir/test_tabpanel.vim +++ b/src/testdir/test_tabpanel.vim @@ -529,6 +529,14 @@ function Test_tabpanel_error() catch /^Vim\%(( \+)\)\=:E117:/ endtry call assert_true(empty(&tabpanel)) + + try + set tabpanel=%{my#util#TabPanelHighlight}%t + redraw! + catch /^Vim\%(( \+)\)\=:E121:/ + endtry + call assert_true(empty(&tabpanel)) + set tabpanel&vim set showtabpanel&vim endfunc diff --git a/src/version.c b/src/version.c index 5366f3f2e..a788db1af 100644 --- a/src/version.c +++ b/src/version.c @@ -709,6 +709,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1415, /**/ 1414, /**/ -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/vim_dev/E1uJzWz-001ZwR-29%40256bit.org.
