vim-patch:9.1.0728: [security]: heap-use-after-free in garbage collection with location list user data

Problem: heap-use-after-free in garbage collection with location list user data. Solution: Mark user data as in use when no other window is referencing the location list (zeertzjq) fixes: neovim/neovim#30371 closes: vim/vim#15683 be4bd189d2
2025-07-15 16:51:49 +00:00 · 2024-09-14 18:52:36 +08:00
parent d585f3103d
commit 260ac4b3a2
2 changed files with 18 additions and 1 deletions
--- a/src/nvim/quickfix.c
+++ b/src/nvim/quickfix.c
@ -6936,6 +6936,11 @@ bool set_ref_in_quickfix(int copyID)
      if (abort) {
        return abort;
      }
+
+      abort = mark_quickfix_user_data(win->w_llist_ref, copyID);
+      if (abort) {
+        return abort;
+      }
    }
  }

--- a/test/old/testdir/test_quickfix.vim
+++ b/test/old/testdir/test_quickfix.vim
@ -4072,11 +4072,23 @@ func Test_ll_window_ctx()
  enew | only
 endfunc

+" Similar to the problem above, but for user data.
+func Test_ll_window_user_data()
+  call setloclist(0, [#{bufnr: bufnr(), user_data: {}}])
+  lopen
+  wincmd t
+  close
+  call test_garbagecollect_now()
+  call feedkeys("\<CR>", 'tx')
+  call test_garbagecollect_now()
+  %bwipe!
+endfunc
+
 " The following test used to crash vim
 func Test_lfile_crash()
  sp Xtest
  au QuickFixCmdPre * bw
-  call assert_fails('lfile', 'E40')
+  call assert_fails('lfile', 'E40:')
  au! QuickFixCmdPre
 endfunc