vi(1): fix use after free with unsaved buffer

Issuing a zero-arg ex_edit command (:e) while using a named buffer
with no backing file caused vi(1)/ex(1) to free the strings
representing the buffer name and the name of the temporary file.
This change detects the situation and only frees the newly allocated
EXF structure (ep).

Reported on bugs@ by kn@.

OK millert@

diff --git a/usr.bin/vi/common/exf.c b/usr.bin/vi/common/exf.c
index d99ce41..1d966db 100644 (file)
--- a/usr.bin/vi/common/exf.c
+++ b/usr.bin/vi/common/exf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exf.c,v 1.47 2021/10/24 21:24:17 deraadt Exp $        */
+/*     $OpenBSD: exf.c,v 1.48 2021/10/25 14:17:24 dv Exp $     */
 
 /*-
  * Copyright (c) 1992, 1993, 1994
@@ -173,6 +173,16 @@ file_init(SCR *sp, FREF *frp, char *rcv_name, int flags)
         * to the real name (we display that until the user renames it).
         */
        oname = frp->name;
+
+       /*
+        * User is editing a named file that doesn't exist yet other than as a
+        * temporary file.
+        */
+       if (!exists && oname != NULL && frp->tname != NULL) {
+               free(ep);
+               return (1);
+       }
+
        if (LF_ISSET(FS_OPENERR) || oname == NULL || !exists) {
                /*
                 * Don't try to create a temporary support file twice.