mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-06 11:28:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:8.0.1218: writing to freed memory in autocmd

Browse Source 
Problem:    Writing to freed memory in autocmd.
Solution:   Make a copy of the tag line. (Dominique Pelle, closes vim/vim#2245)
8d84ff1a3c
This commit is contained in:
Jan Edmund Lazo
2018-08-14 10:18:08 -04:00
parent 84569693e1
commit 5e38ff105c
2 changed files with 40 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/nvim/tag.c
View File

@@ -2217,6 +2217,16 @@ static bool test_for_static(tagptrs_T *tagp)
return FALSE; return FALSE;
} }
// Returns the length of a matching tag line.
static size_t matching_line_len(const char_u *const lbuf)
{
const char_u *p = lbuf + 1;
// does the same thing as parse_match()
p += STRLEN(p) + 2;
return (p - lbuf) + STRLEN(p);
}
/* /*
* Parse a line from a matching tag. Does not change the line itself. * Parse a line from a matching tag. Does not change the line itself.
* *
@@ -2300,11 +2310,10 @@ static char_u *tag_full_fname(tagptrs_T *tagp)
* *
* returns OK for success, NOTAGFILE when file not found, FAIL otherwise. * returns OK for success, NOTAGFILE when file not found, FAIL otherwise.
*/ */
static int static int jumpto_tag(
jumpto_tag ( const char_u *lbuf_arg, // line from the tags file for this tag
char_u *lbuf, /* line from the tags file for this tag */ int forceit, // :ta with !
int forceit, /* :ta with ! */ int keep_help // keep help flag (FALSE for cscope)
int keep_help /* keep help flag (FALSE for cscope) */
) )
{ {
int save_secure; int save_secure;
@@ -2312,7 +2321,6 @@ jumpto_tag (
bool save_p_ws; bool save_p_ws;
int save_p_scs, save_p_ic; int save_p_scs, save_p_ic;
linenr_T save_lnum; linenr_T save_lnum;
int csave = 0;
char_u *str; char_u *str;
char_u *pbuf; /* search pattern buffer */ char_u *pbuf; /* search pattern buffer */
char_u *pbuf_end; char_u *pbuf_end;
@@ -2327,6 +2335,9 @@ jumpto_tag (
char_u *full_fname = NULL; char_u *full_fname = NULL;
int old_KeyTyped = KeyTyped; /* getting the file may reset it */ int old_KeyTyped = KeyTyped; /* getting the file may reset it */
const int l_g_do_tagpreview = g_do_tagpreview; const int l_g_do_tagpreview = g_do_tagpreview;
const size_t len = matching_line_len(lbuf_arg) + 1;
char_u *lbuf = xmalloc(len);
memmove(lbuf, lbuf_arg, len);
pbuf = xmalloc(LSIZE); pbuf = xmalloc(LSIZE);
@@ -2336,8 +2347,7 @@ jumpto_tag (
goto erret; goto erret;
} }
/* truncate the file name, so it can be used as a string */ // truncate the file name, so it can be used as a string
csave = *tagp.fname_end;
*tagp.fname_end = NUL; *tagp.fname_end = NUL;
fname = tagp.fname; fname = tagp.fname;
@@ -2447,7 +2457,10 @@ jumpto_tag (
else else
keep_help_flag = curbuf->b_help; keep_help_flag = curbuf->b_help;
} }
if (getfile_result == GETFILE_UNUSED) { if (getfile_result == GETFILE_UNUSED) {
// Careful: getfile() may trigger autocommands and call jumpto_tag()
// recursively.
getfile_result = getfile(0, fname, NULL, true, (linenr_T)0, forceit); getfile_result = getfile(0, fname, NULL, true, (linenr_T)0, forceit);
} }
keep_help_flag = false; keep_help_flag = false;
@@ -2606,8 +2619,7 @@ jumpto_tag (
erret: erret:
g_do_tagpreview = 0; /* For next time */ g_do_tagpreview = 0; /* For next time */
if (tagp.fname_end != NULL) xfree(lbuf);
*tagp.fname_end = csave;
xfree(pbuf); xfree(pbuf);
xfree(tofree_fname); xfree(tofree_fname);
xfree(full_fname); xfree(full_fname);

18
src/nvim/testdir/test_autocmd.vim
View File

@@ -248,6 +248,24 @@ func Test_augroup_warning()
au! VimEnter au! VimEnter
endfunc endfunc
func Test_BufReadCmdHelp()
" This used to cause access to free memory
au BufReadCmd * e +h
help
helpclose
au! BufReadCmd
endfunc
func Test_BufReadCmdHelpJump()
" This used to cause access to free memory
au BufReadCmd * e +h{
help
helpclose
au! BufReadCmd
endfunc
func Test_augroup_deleted() func Test_augroup_deleted()
" This caused a crash before E936 was introduced " This caused a crash before E936 was introduced
augroup x augroup x