From: dv Date: Mon, 25 Oct 2021 14:17:24 +0000 (+0000) Subject: vi(1): fix use after free with unsaved buffer X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=950f464992f07407e52ebc716d6648aa120dd334;p=openbsd vi(1): fix use after free with unsaved buffer Issuing a zero-arg ex_edit command (:e) while using a named buffer with no backing file caused vi(1)/ex(1) to free the strings representing the buffer name and the name of the temporary file. This change detects the situation and only frees the newly allocated EXF structure (ep). Reported on bugs@ by kn@. OK millert@ --- diff --git a/usr.bin/vi/common/exf.c b/usr.bin/vi/common/exf.c index d99ce4122fb..1d966db1823 100644 --- a/usr.bin/vi/common/exf.c +++ b/usr.bin/vi/common/exf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exf.c,v 1.47 2021/10/24 21:24:17 deraadt Exp $ */ +/* $OpenBSD: exf.c,v 1.48 2021/10/25 14:17:24 dv Exp $ */ /*- * Copyright (c) 1992, 1993, 1994 @@ -173,6 +173,16 @@ file_init(SCR *sp, FREF *frp, char *rcv_name, int flags) * to the real name (we display that until the user renames it). */ oname = frp->name; + + /* + * User is editing a named file that doesn't exist yet other than as a + * temporary file. + */ + if (!exists && oname != NULL && frp->tname != NULL) { + free(ep); + return (1); + } + if (LF_ISSET(FS_OPENERR) || oname == NULL || !exists) { /* * Don't try to create a temporary support file twice.