Bram,
the Neovim¹ project detected a use-after-free when loading a
colorscheme.
Credit goes to oni-link from the Neovim project. He has also clearly
explained in the pull request², how that can happen, so I just skip the
explanation. I have just slightly adapted the code to match Vims style.
diff --git a/src/syntax.c b/src/syntax.c
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -6988,8 +6988,17 @@ init_highlight(both, reset)
* and 'background' or 't_Co' is changed.
*/
p = get_var_value((char_u *)"g:colors_name");
- if (p != NULL && load_colors(p) == OK)
- return;
+ if (p != NULL)
+ {
+ /* Value of g:colors_name could be freed in load_colors()
+ * and make p invalid, so copy it. */
+ char_u *copy_p = vim_strsave(p);
+ if (load_colors(copy_p))
+ {
+ vim_free(copy_p);
+ return;
+ }
+ }
#endif
/*
¹
https://github.com/oni-link/neovim/commit/b7e7eb28b19ad43ed3aa4d2c570273f511cca34b
² https://github.com/neovim/neovim/pull/2138
Best,
Christian
--
Stilblüten aus Schreiben von Versicherungsnehmern:
Ich überfuhr einen Mann. Er gab seine Schuld zu, da ihm dies schon
einmal passiert war.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
