thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 7.4.2323

Browse Source 
Problem:    Using freed memory when using 'formatexpr'. (Dominique Pelle)
Solution:   Make a copy of 'formatexpr' before evaluating it.
This commit is contained in:
Bram Moolenaar
2016-09-04 15:13:39 +02:00
parent bc54f3f3fe
commit d77f9d595e
3 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/ops.c
View File

@@ -4741,6 +4741,7 @@ fex_format(
int use_sandbox = was_set_insecurely((char_u *)"formatexpr",
OPT_LOCAL);
int r;
char_u *fex;
/*
* Set v:lnum to the first line number and v:count to the number of lines.
@@ -4750,16 +4751,22 @@ fex_format(
set_vim_var_nr(VV_COUNT, count);
set_vim_var_char(c);
/* Make a copy, the option could be changed while calling it. */
fex = vim_strsave(curbuf->b_p_fex);
if (fex == NULL)
return 0;
/*
* Evaluate the function.
*/
if (use_sandbox)
++sandbox;
r = (int)eval_to_number(curbuf->b_p_fex);
r = (int)eval_to_number(fex);
if (use_sandbox)
--sandbox;
set_vim_var_string(VV_CHAR, NULL, -1);
vim_free(fex);
return r;
}