vim-patch:8.2.5050: using freed memory when searching for pattern in path

Problem: Using freed memory when searching for pattern in path. Solution: Make a copy of the line. 409510c588 Cherry-pick Test_def_search() -> Test_macro_search() from patch 8.2.0369
2025-10-02 16:08:36 +00:00 · 2022-07-12 16:17:36 +08:00
parent 4aa4675fbf
commit aa373e3abb
2 changed files with 25 additions and 4 deletions
--- a/src/nvim/search.c
+++ b/src/nvim/search.c
@@ -5303,6 +5303,16 @@ void f_matchfuzzypos(typval_T *argvars, typval_T *rettv, FunPtr fptr)
  do_fuzzymatch(argvars, rettv, true);
 }

+/// Get line "lnum" and copy it into "buf[LSIZE]".
+/// The copy is made because the regexp may make the line invalid when using a
+/// mark.
+static char_u *get_line_and_copy(linenr_T lnum, char_u *buf)
+{
+  char_u *line = ml_get(lnum);
+  STRLCPY(buf, line, LSIZE);
+  return buf;
+}
+
 /// Find identifiers or defines in included files.
 /// If p_ic && (compl_cont_status & CONT_SOL) then ptr must be in lowercase.
 ///
@@ -5399,7 +5409,7 @@ void find_pattern_in_path(char_u *ptr, Direction dir, size_t len, bool whole, bo
  if (lnum > end_lnum) {                // do at least one line
    lnum = end_lnum;
  }
-  line = ml_get(lnum);
+  line = get_line_and_copy(lnum, file_line);

  for (;;) {
    if (incl_regmatch.regprog != NULL
@@ -5687,7 +5697,7 @@ search_line:
            if (lnum >= end_lnum) {
              goto exit_matched;
            }
-            line = ml_get(++lnum);
+            line = get_line_and_copy(++lnum, file_line);
          } else if (vim_fgets(line = file_line,
                               LSIZE, files[depth].fp)) {
            goto exit_matched;
@@ -5879,7 +5889,7 @@ exit_matched:
      if (++lnum > end_lnum) {
        break;
      }
-      line = ml_get(lnum);
+      line = get_line_and_copy(lnum, file_line);
    }
    already = NULL;
  }
--- a/src/nvim/testdir/test_tagjump.vim
+++ b/src/nvim/testdir/test_tagjump.vim
@@ -1180,9 +1180,20 @@ func Test_inc_search()
  close!
 endfunc

+" this was using a line from ml_get() freed by the regexp
+func Test_isearch_copy_line()
+  new
+  norm o
+  norm 0
+  0norm o
+  sil! norm bc0
+  sil! isearch \%')
+  bwipe!
+endfunc
+
 " Test for :dsearch, :dlist, :djump and :dsplit commands
 " Test for [d, ]d, [D, ]D, [ CTRL-D, ] CTRL-D and CTRL-W d commands
-func Test_def_search()
+func Test_macro_search()
  new
  call setline(1, ['#define FOO 1', '#define FOO 2', '#define FOO 3',
        \ '#define FOO 4', '#define FOO 5'])