patch 9.1.1115: [security]: use-after-free in str_to_reg()

Problem:  [security]: use-after-free in str_to_reg()
          (fizz-is-on-the-way)
Solution: when redirecting the :display command, check that one
          does not output to the register being displayed

Github Advisory:
GHSA-63p5-mwg2-787v

Signed-off-by: Christian Brabandt <[email protected]>

Author: chrisbra

src/register.c

@@ -2420,7 +2420,8 @@ ex_display(exarg_T *eap)
 
 #ifdef FEAT_EVAL
 	if (name == MB_TOLOWER(redir_reg)
-		|| (redir_reg == '"' && yb == y_previous))
+		|| (vim_strchr((char_u *)"\"*+", redir_reg) != NULL &&
+		    (yb == y_previous || yb == &y_regs[0])))
 	    continue;	    // do not list register being written to, the
 			    // pointer can be freed
 #endif

src/testdir/test_registers.vim

@@ -1102,4 +1102,24 @@ func Test_clipboard_regs_not_working2()
   let $DISPLAY=display
 endfunc
 
+" This caused use-after-free
+func Test_register_redir_display()
+  " don't touch the clipboard, so only perform this, when the clipboard is not working
+  if has("clipboard_working")
+    throw "Skipped: skip touching the clipboard register!"
+  endif
+  let @"=''
+  redir @+>
+  disp +"
+  redir END
+  call assert_equal("\nType Name Content", getreg('+'))
+  let a = [getreg('1'), getregtype('1')]
+  let @1='register 1'
+  redir @+
+  disp 1
+  redir END
+  call assert_equal("register 1", getreg('1'))
+  call setreg(1, a[0], a[1])
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1115,
 /**/
     1114,
 /**/