Patch 8.0.1218
Problem: Writing to freed memory in autocmd.
Solution: Make a copy of the file name. (Dominique Pelle, closes #2245)
Files: src/tag.c, src/testdir/test_autocmd.vim
*** ../vim-8.0.1217/src/tag.c 2017-09-16 20:54:47.118560293 +0200
--- src/tag.c 2017-10-26 16:34:42.060731936 +0200
***************
*** 2950,2955 ****
--- 2950,2974 ----
}
/*
+ * Returns the length of a matching tag line.
+ */
+ static size_t
+ matching_line_len(char_u *lbuf)
+ {
+ char_u *p = lbuf + 1;
+
+ /* does the same thing as parse_match() */
+ p += STRLEN(p) + 2;
+ #ifdef FEAT_EMACS_TAGS
+ if (*p)
+ p += STRLEN(p);
+ else
+ ++p;
+ #endif
+ return (p - lbuf) + STRLEN(p);
+ }
+
+ /*
* Parse a line from a matching tag. Does not change the line itself.
*
* The line that we get looks like this:
***************
*** 3071,3077 ****
*/
static int
jumpto_tag(
! char_u *lbuf, /* line from the tags file for this tag */
int forceit, /* :ta with ! */
int keep_help) /* keep help flag (FALSE for cscope) */
{
--- 3090,3096 ----
*/
static int
jumpto_tag(
! char_u *lbuf_arg, /* line from the tags file for this tag */
int forceit, /* :ta with ! */
int keep_help) /* keep help flag (FALSE for cscope) */
{
***************
*** 3079,3085 ****
int save_magic;
int save_p_ws, save_p_scs, save_p_ic;
linenr_T save_lnum;
- int csave = 0;
char_u *str;
char_u *pbuf; /* search pattern buffer */
char_u *pbuf_end;
--- 3098,3103 ----
***************
*** 3099,3116 ****
#ifdef FEAT_FOLDING
int old_KeyTyped = KeyTyped; /* getting the file may
reset it */
#endif
pbuf = alloc(LSIZE);
/* parse the match line into the tagp structure */
! if (pbuf == NULL || parse_match(lbuf, &tagp) == FAIL)
{
tagp.fname_end = NULL;
goto erret;
}
/* truncate the file name, so it can be used as a string */
- csave = *tagp.fname_end;
*tagp.fname_end = NUL;
fname = tagp.fname;
--- 3117,3142 ----
#ifdef FEAT_FOLDING
int old_KeyTyped = KeyTyped; /* getting the file may
reset it */
#endif
+ size_t len;
+ char_u *lbuf;
+
+ /* Make a copy of the line, it can become invalid when an autocommand
calls
+ * back here recursively. */
+ len = matching_line_len(lbuf_arg) + 1;
+ lbuf = alloc((int)len);
+ if (lbuf != NULL)
+ mch_memmove(lbuf, lbuf_arg, len);
pbuf = alloc(LSIZE);
/* parse the match line into the tagp structure */
! if (pbuf == NULL || lbuf == NULL || parse_match(lbuf, &tagp) == FAIL)
{
tagp.fname_end = NULL;
goto erret;
}
/* truncate the file name, so it can be used as a string */
*tagp.fname_end = NUL;
fname = tagp.fname;
***************
*** 3246,3252 ****
--- 3272,3281 ----
#endif
keep_help_flag = curbuf->b_help;
}
+
if (getfile_result == GETFILE_UNUSED)
+ /* Careful: getfile() may trigger autocommands and call jumpto_tag()
+ * recursively. */
getfile_result = getfile(0, fname, NULL, TRUE, (linenr_T)0, forceit);
keep_help_flag = FALSE;
***************
*** 3441,3448 ****
#if defined(FEAT_QUICKFIX)
g_do_tagpreview = 0; /* For next time */
#endif
! if (tagp.fname_end != NULL)
! *tagp.fname_end = csave;
vim_free(pbuf);
vim_free(tofree_fname);
vim_free(full_fname);
--- 3470,3476 ----
#if defined(FEAT_QUICKFIX)
g_do_tagpreview = 0; /* For next time */
#endif
! vim_free(lbuf);
vim_free(pbuf);
vim_free(tofree_fname);
vim_free(full_fname);
*** ../vim-8.0.1217/src/testdir/test_autocmd.vim 2017-10-22
14:23:40.124199208 +0200
--- src/testdir/test_autocmd.vim 2017-10-26 16:02:00.037904285 +0200
***************
*** 249,254 ****
--- 249,272 ----
au! VimEnter
endfunc
+ func Test_BufReadCmdHelp()
+ " This used to cause access to free memory
+ au BufReadCmd * e +h
+ help
+
+ helpclose
+ au! BufReadCmd
+ endfunc
+
+ func Test_BufReadCmdHelpJump()
+ " This used to cause access to free memory
+ au BufReadCmd * e +h{
+ help
+
+ helpclose
+ au! BufReadCmd
+ endfunc
+
func Test_augroup_deleted()
" This caused a crash before E936 was introduced
augroup x
*** ../vim-8.0.1217/src/version.c 2017-10-26 14:28:25.944144974 +0200
--- src/version.c 2017-10-26 15:47:15.247963549 +0200
***************
*** 763,764 ****
--- 763,766 ----
{ /* Add new patch number below this line */
+ /**/
+ 1218,
/**/
--
Be nice to your kids... they'll be the ones choosing your nursing home.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
