aniani/vim
0
0
Fork 1
mirror of https://github.com/vim/vim.git synced 2025-07-26 11:04:33 -04:00
Code

patch 8.2.0240: using memory after it was freed

Browse Source 
Problem:    Using memory after it was freed. (Dominique Pelle)
Solution:   Do not mix converion buffer with other buffer.
This commit is contained in:
Bram Moolenaar 2020-02-10 22:44:32 +01:00
parent 355757aed6
commit 408030e8d0
3 changed files with 23 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/version.c
View File

@ -742,6 +742,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
240,
/**/ /**/
239, 239,
/**/ /**/

14
src/vim.h
View File

@ -1129,20 +1129,6 @@ extern int (*dyn_libintl_wputenv)(const wchar_t *envstring);
#define VIMINFO_VERSION_WITH_REGISTERS 3 #define VIMINFO_VERSION_WITH_REGISTERS 3
#define VIMINFO_VERSION_WITH_MARKS 4 #define VIMINFO_VERSION_WITH_MARKS 4
typedef enum {
BVAL_NR,
BVAL_STRING,
BVAL_EMPTY
} btype_T;
typedef struct {
btype_T bv_type;
long bv_nr;
char_u *bv_string;
int bv_len; // length of bv_string
int bv_allocated; // bv_string was allocated
} bval_T;
/* /*
* Values for do_tag(). * Values for do_tag().
*/ */

24
src/viminfo.c
View File

@ -26,6 +26,21 @@ typedef struct
garray_T vir_barlines; // lines starting with | garray_T vir_barlines; // lines starting with |
} vir_T; } vir_T;
typedef enum {
BVAL_NR,
BVAL_STRING,
BVAL_EMPTY
} btype_T;
typedef struct {
btype_T bv_type;
long bv_nr;
char_u *bv_string;
char_u *bv_tofree; // free later when not NULL
int bv_len; // length of bv_string
int bv_allocated; // bv_string was allocated
} bval_T;
#if defined(FEAT_VIMINFO) || defined(PROTO) #if defined(FEAT_VIMINFO) || defined(PROTO)
static int viminfo_errcnt; static int viminfo_errcnt;
@ -1087,22 +1102,24 @@ barline_parse(vir_T *virp, char_u *text, garray_T *values)
s[len] = NUL; s[len] = NUL;
converted = FALSE; converted = FALSE;
value->bv_tofree = NULL;
if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL) if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL)
{ {
sconv = string_convert(&virp->vir_conv, s, NULL); sconv = string_convert(&virp->vir_conv, s, NULL);
if (sconv != NULL) if (sconv != NULL)
{ {
if (s == buf) if (s == buf)
vim_free(s); // the converted string is stored in bv_string and
// freed later, also need to free "buf" later
value->bv_tofree = buf;
s = sconv; s = sconv;
buf = s;
converted = TRUE; converted = TRUE;
} }
} }
// Need to copy in allocated memory if the string wasn't allocated // Need to copy in allocated memory if the string wasn't allocated
// above and we did allocate before, thus vir_line may change. // above and we did allocate before, thus vir_line may change.
if (s != buf && allocated) if (s != buf && allocated && !converted)
s = vim_strsave(s); s = vim_strsave(s);
value->bv_string = s; value->bv_string = s;
value->bv_type = BVAL_STRING; value->bv_type = BVAL_STRING;
@ -2747,6 +2764,7 @@ read_viminfo_barline(vir_T *virp, int got_encoding, int force, int writing)
vp = (bval_T *)values.ga_data + i; vp = (bval_T *)values.ga_data + i;
if (vp->bv_type == BVAL_STRING && vp->bv_allocated) if (vp->bv_type == BVAL_STRING && vp->bv_allocated)
vim_free(vp->bv_string); vim_free(vp->bv_string);
vim_free(vp->bv_tofree);
} }
ga_clear(&values); ga_clear(&values);
} }