thac0/vim
1
0
Fork 0
forked from aniani/vim
Code

patch 9.0.1052: using freed memory on exit when EXITFREE is defined

Browse Source 
Problem:    Using freed memory on exit when EXITFREE is defined.
Solution:   Make a deep copy of the type.  Make sure TTFLAG_STATIC is not set
            in the copy.
This commit is contained in:
Bram Moolenaar 2022-12-13 13:42:37 +00:00
parent cb94c91070
commit 692fe0889c
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/version.c
View File

@ -695,6 +695,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
1052,
/**/
1051,
/**/

51
src/vim9type.c
View File

@ -57,6 +57,7 @@ copy_type(type_T *type, garray_T *type_gap)
if (copy == NULL)
return type;
*copy = *type;
copy->tt_flags &= ~TTFLAG_STATIC;
if (type->tt_args != NULL
&& func_type_add_arg_types(copy, type->tt_argcount, type_gap) == OK)
@ -66,6 +67,54 @@ copy_type(type_T *type, garray_T *type_gap)
return copy;
}
/*
* Inner part of copy_type_deep().
* When allocation fails returns "type".
*/
static type_T *
copy_type_deep_rec(type_T *type, garray_T *type_gap, garray_T *seen_types)
{
for (int i = 0; i < seen_types->ga_len; ++i)
if (((type_T **)seen_types->ga_data)[i * 2] == type)
// seen this type before, return the copy we made
return ((type_T **)seen_types->ga_data)[i * 2 + 1];
type_T *copy = copy_type(type, type_gap);
if (ga_grow(seen_types, 1) == FAIL)
return copy;
((type_T **)seen_types->ga_data)[seen_types->ga_len * 2] = type;
((type_T **)seen_types->ga_data)[seen_types->ga_len * 2 + 1] = copy;
++seen_types->ga_len;
if (copy->tt_member != NULL)
copy->tt_member = copy_type_deep_rec(copy->tt_member,
type_gap, seen_types);
if (type->tt_args != NULL)
for (int i = 0; i < type->tt_argcount; ++i)
copy->tt_args[i] = copy_type_deep_rec(copy->tt_args[i],
type_gap, seen_types);
return copy;
}
/*
* Make a deep copy of "type".
* When allocation fails returns "type".
*/
static type_T *
copy_type_deep(type_T *type, garray_T *type_gap)
{
garray_T seen_types;
// stores type pairs : a type we have seen and the copy used
ga_init2(&seen_types, sizeof(type_T *) * 2, 20);
type_T *res = copy_type_deep_rec(type, type_gap, &seen_types);
ga_clear(&seen_types);
return res;
}
void
clear_type_list(garray_T *gap)
{
@ -404,7 +453,7 @@ typval2type_int(typval_T *tv, int copyID, garray_T *type_gap, int flags)
|| (flags & TVTT_MORE_SPECIFIC) == 0
|| l->lv_type->tt_member != &t_any))
// make a copy, lv_type may be freed if the list is freed
return copy_type(l->lv_type, type_gap);
return copy_type_deep(l->lv_type, type_gap);
if (l->lv_first == &range_list_item)
return &t_list_number;
if (l->lv_copyID == copyID)