blob: b3dadb9775af21125089a2e811e5519aaaad3b13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From: Markus Koschany <apo@debian.org>
Date: Sun, 6 Nov 2022 23:12:54 +0100
Subject: CVE-2022-2946
Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c
---
src/tag.c | 9 ++++++++-
src/testdir/test_tagcase.vim | 12 ++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/src/tag.c b/src/tag.c
index b1915e1..4e96da3 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -146,6 +146,7 @@ do_tag(
int attr;
int use_tagstack;
int skip_msg = FALSE;
+ char_u *tofree = NULL;
char_u *buf_ffname = curbuf->b_ffname; /* name to use for
priority computation */
@@ -486,7 +487,12 @@ do_tag(
* When desired match not found yet, try to find it (and others).
*/
if (use_tagstack)
- name = tagstack[tagstackidx].tagname;
+ {
+ // make a copy, the tagstack may change in 'tagfunc'
+ name = vim_strsave(tagstack[tagstackidx].tagname);
+ vim_free(tofree);
+ tofree = name;
+ }
#if defined(FEAT_QUICKFIX)
else if (g_do_tagpreview != 0)
name = ptag_entry.tagname;
@@ -1078,6 +1084,7 @@ end_do_tag:
g_do_tagpreview = 0; /* don't do tag preview next time */
# endif
+ vim_free(tofree);
#ifdef FEAT_CSCOPE
return jumped_to_tag;
#else
|
