diff options
author | Bram Moolenaar <Bram@vim.org> | 2022-07-02 15:10:00 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2022-07-02 15:10:00 +0100 |
commit | c5274dd12224421f2430b30c53b881b9403d649e (patch) | |
tree | 5877c6122e443a0ffe127bc39ea13f356fc00cf8 /src | |
parent | c6fdb15d423df22e1776844811d082322475e48a (diff) | |
download | vim-git-c5274dd12224421f2430b30c53b881b9403d649e.tar.gz |
patch 9.0.0026: accessing freed memory with diff putv9.0.0026
Problem: Accessing freed memory with diff put.
Solution: Bail out when diff pointer is no longer valid.
Diffstat (limited to 'src')
-rw-r--r-- | src/diff.c | 24 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 24 insertions, 2 deletions
diff --git a/src/diff.c b/src/diff.c index 91e5ae2f2..e4bafe2c9 100644 --- a/src/diff.c +++ b/src/diff.c @@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count) } /* + * Return TRUE if "diff" appears in the list of diff blocks of the current tab. + */ + static int +valid_diff(diff_T *diff) +{ + diff_T *dp; + + for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next) + if (dp == diff) + return TRUE; + return FALSE; +} + +/* * ":diffget" * ":diffput" */ @@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap) } } - // Adjust marks. This will change the following entries! if (added != 0) { + // Adjust marks. This will change the following entries! mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added); if (curwin->w_cursor.lnum >= lnum) { @@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap) #endif vim_free(dfree); } - else + + // mark_adjust() may have made "dp" invalid. We don't know where + // to continue then, bail out. + if (added != 0 && !valid_diff(dp)) + break; + + if (dfree == NULL) // mark_adjust() may have changed the count in a wrong way dp->df_count[idx_to] = new_count; diff --git a/src/version.c b/src/version.c index 8c9325d94..0eb586396 100644 --- a/src/version.c +++ b/src/version.c @@ -736,6 +736,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 26, +/**/ 25, /**/ 24, |