diff options
author | Bram Moolenaar <Bram@vim.org> | 2020-06-29 20:40:37 +0200 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2020-06-29 20:40:37 +0200 |
commit | cf30643ae607ae1a97b50e19c622dc8303723fa2 (patch) | |
tree | 50f884e4ffd81edb93a1b1090002233b52031694 | |
parent | 6d90c61c5a6437ff5058b6c5874ba71bff574e60 (diff) | |
download | vim-git-cf30643ae607ae1a97b50e19c622dc8303723fa2.tar.gz |
patch 8.2.1086: possibly using freed memory when text properties usedv8.2.1086
Problem: Possibly using freed memory when text properties used when
changing indent of a line.
Solution: Compute the offset before calling ml_replace().
-rw-r--r-- | src/indent.c | 16 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 12 insertions, 6 deletions
diff --git a/src/indent.c b/src/indent.c index a1d4d3628..d786f26f2 100644 --- a/src/indent.c +++ b/src/indent.c @@ -757,6 +757,10 @@ set_indent( // Replace the line (unless undo fails). if (!(flags & SIN_UNDO) || u_savesub(curwin->w_cursor.lnum) == OK) { + colnr_T old_offset = (colnr_T)(p - oldline); + colnr_T new_offset = (colnr_T)(s - newline); + + // this may free "newline" ml_replace(curwin->w_cursor.lnum, newline, FALSE); if (flags & SIN_CHANGED) changed_bytes(curwin->w_cursor.lnum, 0); @@ -764,24 +768,24 @@ set_indent( // Correct saved cursor position if it is in this line. if (saved_cursor.lnum == curwin->w_cursor.lnum) { - if (saved_cursor.col >= (colnr_T)(p - oldline)) + if (saved_cursor.col >= old_offset) // cursor was after the indent, adjust for the number of // bytes added/removed - saved_cursor.col += ind_len - (colnr_T)(p - oldline); - else if (saved_cursor.col >= (colnr_T)(s - newline)) + saved_cursor.col += ind_len - old_offset; + else if (saved_cursor.col >= new_offset) // cursor was in the indent, and is now after it, put it back // at the start of the indent (replacing spaces with TAB) - saved_cursor.col = (colnr_T)(s - newline); + saved_cursor.col = new_offset; } #ifdef FEAT_PROP_POPUP { - int added = ind_len - (colnr_T)(p - oldline); + int added = ind_len - old_offset; // When increasing indent this behaves like spaces were inserted at // the old indent, when decreasing indent it behaves like spaces // were deleted at the new indent. adjust_prop_columns(curwin->w_cursor.lnum, - (colnr_T)(added > 0 ? (p - oldline) : ind_len), added, 0); + added > 0 ? old_offset : (colnr_T)ind_len, added, 0); } #endif retval = TRUE; diff --git a/src/version.c b/src/version.c index 65dffff6b..6f6e4810b 100644 --- a/src/version.c +++ b/src/version.c @@ -755,6 +755,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1086, +/**/ 1085, /**/ 1084, |