summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBram Moolenaar <Bram@vim.org>2022-09-17 19:43:23 +0100
committerBram Moolenaar <Bram@vim.org>2022-09-17 19:43:23 +0100
commit1c3dd8ddcba63c1af5112e567215b3cec2de11d0 (patch)
treeaf01369780ad70339d079d0a9297d3dfe2b037b6
parentfb593c5350e8fe23b608ded5a011cd7eefe73922 (diff)
downloadvim-git-1c3dd8ddcba63c1af5112e567215b3cec2de11d0.tar.gz
patch 9.0.0490: using freed memory with cmdwin and BufEnter autocmdv9.0.0490
Problem: Using freed memory with cmdwin and BufEnter autocmd. Solution: Make sure pointer to b_p_iminsert is still valid.
Diffstat
-rw-r--r--src/ex_getln.c8
-rw-r--r--src/testdir/test_cmdwin.vim10
-rw-r--r--src/version.c2
3 files changed, 18 insertions, 2 deletions
diff --git a/src/ex_getln.c b/src/ex_getln.c
index 70436b31f..a4fb61145 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -1587,6 +1587,7 @@ getcmdline_int(
#endif
expand_T xpc;
long *b_im_ptr = NULL;
+ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
cmdline_info_T save_ccline;
int did_save_ccline = FALSE;
int cmdline_type;
@@ -1683,6 +1684,7 @@ getcmdline_int(
b_im_ptr = &curbuf->b_p_iminsert;
else
b_im_ptr = &curbuf->b_p_imsearch;
+ b_im_ptr_buf = curbuf;
if (*b_im_ptr == B_IMODE_LMAP)
State |= MODE_LANGMAP;
#ifdef HAVE_INPUT_METHOD
@@ -2034,7 +2036,8 @@ getcmdline_int(
goto cmdline_not_changed;
case Ctrl_HAT:
- cmdline_toggle_langmap(b_im_ptr);
+ cmdline_toggle_langmap(
+ buf_valid(b_im_ptr_buf) ? b_im_ptr : NULL);
goto cmdline_not_changed;
// case '@': only in very old vi
@@ -2544,7 +2547,8 @@ returncmd:
#endif
#ifdef HAVE_INPUT_METHOD
- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+ && *b_im_ptr != B_IMODE_LMAP)
im_save_status(b_im_ptr);
im_set_active(FALSE);
#endif
diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
index d62673aba..fe849bcc1 100644
--- a/src/testdir/test_cmdwin.vim
+++ b/src/testdir/test_cmdwin.vim
@@ -378,5 +378,15 @@ func Test_normal_escape()
call assert_equal('" bar', @:)
endfunc
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
+ edit 0
+ silent! norm q/
+
+ au! BufEnter
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index f4c5fb4a8..7d7ac1654 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 490,
+/**/
489,
/**/
488,
View Lorry Controller Status