patch 8.2.4229: possible crash when invoking timer callback fails

Problem: Possible crash when invoking timer callback fails. Solution: Initialize the typval. Give an error for an empty callback. (closes #9636)
vim · Jan 27, 2022 · 745b938 · 745b938
1 parent b0ad2d9
commit 745b938
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/src/testdir/test_vim9_builtin.vim b/src/testdir/test_vim9_builtin.vim
@@ -4132,6 +4132,8 @@ enddef
 def Test_timer_start()
   CheckDefAndScriptFailure(['timer_start("a", "1")'], ['E1013: Argument 1: type mismatch, expected number but got string', 'E1210: Number required for argument 1'])
   CheckDefAndScriptFailure(['timer_start(1, "1", [1])'], ['E1013: Argument 3: type mismatch, expected dict<any> but got list<number>', 'E1206: Dictionary required for argument 3'])
+  CheckDefExecAndScriptFailure(['timer_start(100, 0)'], 'E921:')
+  CheckDefExecAndScriptFailure(['timer_start(100, "")'], 'E921:')
 enddef
 
 def Test_timer_stop()

diff --git a/src/time.c b/src/time.c
@@ -481,6 +481,7 @@ timer_callback(timer_T *timer)
     argv[0].vval.v_number = (varnumber_T)timer->tr_id;
     argv[1].v_type = VAR_UNKNOWN;
 
+    rettv.v_type = VAR_UNKNOWN;
     call_callback(&timer->tr_callback, -1, &rettv, 1, argv);
     clear_tv(&rettv);
 }
@@ -854,6 +855,13 @@ f_timer_start(typval_T *argvars, typval_T *rettv)
     callback = get_callback(&argvars[1]);
     if (callback.cb_name == NULL)
 	return;
+    if (in_vim9script() && *callback.cb_name == NUL)
+    {
+	// empty callback is not useful for a timer
+	emsg(_(e_invalid_callback_argument));
+	free_callback(&callback);
+	return;
+    }
 
     timer = create_timer(msec, repeat);
     if (timer == NULL)

diff --git a/src/version.c b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4229,
 /**/
     4228,
 /**/