Patch 8.2.4139
Problem: Using freed memory if an expression abbreviation deletes the
abbreviation.
Solution: Do not access the pointer after evaluating the expression.
Files: src/map.c, src/testdir/test_mapping.vim
*** ../vim-8.2.4138/src/map.c 2022-01-16 14:58:31.052581613 +0000
--- src/map.c 2022-01-18 20:26:26.880966887 +0000
***************
*** 226,232 ****
#endif
int simplified)
{
! mapblock_T *mp = ALLOC_ONE(mapblock_T);
if (mp == NULL)
return FAIL;
--- 226,232 ----
#endif
int simplified)
{
! mapblock_T *mp = ALLOC_CLEAR_ONE(mapblock_T);
if (mp == NULL)
return FAIL;
***************
*** 1515,1520 ****
--- 1515,1526 ----
}
if (mp != NULL)
{
+ int noremap;
+ int silent;
+ #ifdef FEAT_EVAL
+ int expr;
+ #endif
+
// Found a match:
// Insert the rest of the abbreviation in typebuf.tb_buf[].
// This goes from end to start.
***************
*** 1567,1574 ****
// insert the last typed char
(void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent);
}
#ifdef FEAT_EVAL
! if (mp->m_expr)
s = eval_map_expr(mp, c);
else
#endif
--- 1573,1586 ----
// insert the last typed char
(void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent);
}
+
+ // copy values here, calling eval_map_expr() may make "mp" invalid!
+ noremap = mp->m_noremap;
+ silent = mp->m_silent;
#ifdef FEAT_EVAL
! expr = mp->m_expr;
!
! if (expr)
s = eval_map_expr(mp, c);
else
#endif
***************
*** 1576,1586 ****
if (s != NULL)
{
// insert the to string
! (void)ins_typebuf(s, mp->m_noremap, 0, TRUE, mp->m_silent);
// no abbrev. for these chars
typebuf.tb_no_abbr_cnt += (int)STRLEN(s) + j + 1;
#ifdef FEAT_EVAL
! if (mp->m_expr)
vim_free(s);
#endif
}
--- 1588,1598 ----
if (s != NULL)
{
// insert the to string
! (void)ins_typebuf(s, noremap, 0, TRUE, silent);
// no abbrev. for these chars
typebuf.tb_no_abbr_cnt += (int)STRLEN(s) + j + 1;
#ifdef FEAT_EVAL
! if (expr)
vim_free(s);
#endif
}
***************
*** 1590,1596 ****
if (has_mbyte)
len = clen; // Delete characters instead of bytes
while (len-- > 0) // delete the from string
! (void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent);
return TRUE;
}
}
--- 1602,1608 ----
if (has_mbyte)
len = clen; // Delete characters instead of bytes
while (len-- > 0) // delete the from string
! (void)ins_typebuf(tb, 1, 0, TRUE, silent);
return TRUE;
}
}
***************
*** 1601,1606 ****
--- 1613,1619 ----
/*
* Evaluate the RHS of a mapping or abbreviations and take care of escaping
* special characters.
+ * Careful: after this "mp" will be invalid if the mapping was deleted.
*/
char_u *
eval_map_expr(
*** ../vim-8.2.4138/src/testdir/test_mapping.vim 2022-01-16
15:52:32.020847559 +0000
--- src/testdir/test_mapping.vim 2022-01-18 20:21:15.417676798 +0000
***************
*** 704,709 ****
--- 704,714 ----
mapclear
endfunc
+ func GetAbbrText()
+ unabbr hola
+ return 'hello'
+ endfunc
+
" Test for <expr> in abbreviation
func Test_expr_abbr()
new
***************
*** 719,725 ****
call assert_equal('', getline(1))
unabbr <expr> hte
! close!
endfunc
" Test for storing mappings in different modes in a vimrc file
--- 724,737 ----
call assert_equal('', getline(1))
unabbr <expr> hte
! " evaluating the expression deletes the abbreviation
! abbr <expr> hola GetAbbrText()
! call assert_equal('GetAbbrText()', maparg('hola', 'i', '1'))
! call feedkeys("ahola \<Esc>", 'xt')
! call assert_equal('hello ', getline('.'))
! call assert_equal('', maparg('hola', 'i', '1'))
!
! bwipe!
endfunc
" Test for storing mappings in different modes in a vimrc file
*** ../vim-8.2.4138/src/version.c 2022-01-18 18:46:03.729827420 +0000
--- src/version.c 2022-01-18 20:30:01.048519950 +0000
***************
*** 752,753 ****
--- 752,755 ----
{ /* Add new patch number below this line */
+ /**/
+ 4139,
/**/
--
BLACK KNIGHT: I move for no man.
ARTHUR: So be it!
[hah] [parry thrust]
[ARTHUR chops the BLACK KNIGHT's left arm off]
ARTHUR: Now stand aside, worthy adversary.
BLACK KNIGHT: 'Tis but a scratch.
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/20220118203113.B1C6B1C044E%40moolenaar.net.
