diff options
| author | Bram Moolenaar <Bram@vim.org> | 2020-02-10 22:44:32 +0100 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2020-02-10 22:44:32 +0100 |
| commit | 408030e8d053fe1c871b2fc366363a30ed98c889 (patch) | |
| tree | c6ce9d86863ea59bff2ad192cfd22187760b6492 /src | |
| parent | 355757aed6ae2ae5446882570d89f243e4805937 (diff) | |
| download | vim-git-408030e8d053fe1c871b2fc366363a30ed98c889.tar.gz | |
patch 8.2.0240: using memory after it was freedv8.2.0240
Problem: Using memory after it was freed. (Dominique Pelle)
Solution: Do not mix converion buffer with other buffer.
Diffstat (limited to 'src')
| -rw-r--r-- | src/version.c | 2 | ||||
| -rw-r--r-- | src/vim.h | 14 | ||||
| -rw-r--r-- | src/viminfo.c | 24 |
3 files changed, 23 insertions, 17 deletions
diff --git a/src/version.c b/src/version.c index cf96f4051..7eaf24bdd 100644 --- a/src/version.c +++ b/src/version.c @@ -743,6 +743,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 240, +/**/ 239, /**/ 238, @@ -1129,20 +1129,6 @@ extern int (*dyn_libintl_wputenv)(const wchar_t *envstring); #define VIMINFO_VERSION_WITH_REGISTERS 3 #define VIMINFO_VERSION_WITH_MARKS 4 -typedef enum { - BVAL_NR, - BVAL_STRING, - BVAL_EMPTY -} btype_T; - -typedef struct { - btype_T bv_type; - long bv_nr; - char_u *bv_string; - int bv_len; // length of bv_string - int bv_allocated; // bv_string was allocated -} bval_T; - /* * Values for do_tag(). */ diff --git a/src/viminfo.c b/src/viminfo.c index b2b7ab28b..897e86462 100644 --- a/src/viminfo.c +++ b/src/viminfo.c @@ -26,6 +26,21 @@ typedef struct garray_T vir_barlines; // lines starting with | } vir_T; +typedef enum { + BVAL_NR, + BVAL_STRING, + BVAL_EMPTY +} btype_T; + +typedef struct { + btype_T bv_type; + long bv_nr; + char_u *bv_string; + char_u *bv_tofree; // free later when not NULL + int bv_len; // length of bv_string + int bv_allocated; // bv_string was allocated +} bval_T; + #if defined(FEAT_VIMINFO) || defined(PROTO) static int viminfo_errcnt; @@ -1087,22 +1102,24 @@ barline_parse(vir_T *virp, char_u *text, garray_T *values) s[len] = NUL; converted = FALSE; + value->bv_tofree = NULL; if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL) { sconv = string_convert(&virp->vir_conv, s, NULL); if (sconv != NULL) { if (s == buf) - vim_free(s); + // the converted string is stored in bv_string and + // freed later, also need to free "buf" later + value->bv_tofree = buf; s = sconv; - buf = s; converted = TRUE; } } // Need to copy in allocated memory if the string wasn't allocated // above and we did allocate before, thus vir_line may change. - if (s != buf && allocated) + if (s != buf && allocated && !converted) s = vim_strsave(s); value->bv_string = s; value->bv_type = BVAL_STRING; @@ -2747,6 +2764,7 @@ read_viminfo_barline(vir_T *virp, int got_encoding, int force, int writing) vp = (bval_T *)values.ga_data + i; if (vp->bv_type == BVAL_STRING && vp->bv_allocated) vim_free(vp->bv_string); + vim_free(vp->bv_tofree); } ga_clear(&values); } |