To: vim_dev@googlegroups.com Subject: Patch 8.2.0240 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.0240 Problem: Using memory after it was freed. (Dominique Pelle) Solution: Do not mix converion buffer with other buffer. Files: src/viminfo.c, src/vim.h *** ../vim-8.2.0239/src/viminfo.c 2020-01-26 15:52:33.027833222 +0100 --- src/viminfo.c 2020-02-10 22:40:12.632784937 +0100 *************** *** 26,31 **** --- 26,46 ---- garray_T vir_barlines; // lines starting with | } vir_T; + typedef enum { + BVAL_NR, + BVAL_STRING, + BVAL_EMPTY + } btype_T; + + typedef struct { + btype_T bv_type; + long bv_nr; + char_u *bv_string; + char_u *bv_tofree; // free later when not NULL + int bv_len; // length of bv_string + int bv_allocated; // bv_string was allocated + } bval_T; + #if defined(FEAT_VIMINFO) || defined(PROTO) static int viminfo_errcnt; *************** *** 1087,1108 **** s[len] = NUL; converted = FALSE; if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL) { sconv = string_convert(&virp->vir_conv, s, NULL); if (sconv != NULL) { if (s == buf) ! vim_free(s); s = sconv; - buf = s; converted = TRUE; } } // Need to copy in allocated memory if the string wasn't allocated // above and we did allocate before, thus vir_line may change. ! if (s != buf && allocated) s = vim_strsave(s); value->bv_string = s; value->bv_type = BVAL_STRING; --- 1102,1125 ---- s[len] = NUL; converted = FALSE; + value->bv_tofree = NULL; if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL) { sconv = string_convert(&virp->vir_conv, s, NULL); if (sconv != NULL) { if (s == buf) ! // the converted string is stored in bv_string and ! // freed later, also need to free "buf" later ! value->bv_tofree = buf; s = sconv; converted = TRUE; } } // Need to copy in allocated memory if the string wasn't allocated // above and we did allocate before, thus vir_line may change. ! if (s != buf && allocated && !converted) s = vim_strsave(s); value->bv_string = s; value->bv_type = BVAL_STRING; *************** *** 2747,2752 **** --- 2764,2770 ---- vp = (bval_T *)values.ga_data + i; if (vp->bv_type == BVAL_STRING && vp->bv_allocated) vim_free(vp->bv_string); + vim_free(vp->bv_tofree); } ga_clear(&values); } *** ../vim-8.2.0239/src/vim.h 2020-02-06 19:25:02.628298164 +0100 --- src/vim.h 2020-02-10 22:39:28.616885492 +0100 *************** *** 1129,1148 **** #define VIMINFO_VERSION_WITH_REGISTERS 3 #define VIMINFO_VERSION_WITH_MARKS 4 - typedef enum { - BVAL_NR, - BVAL_STRING, - BVAL_EMPTY - } btype_T; - - typedef struct { - btype_T bv_type; - long bv_nr; - char_u *bv_string; - int bv_len; // length of bv_string - int bv_allocated; // bv_string was allocated - } bval_T; - /* * Values for do_tag(). */ --- 1129,1134 ---- *** ../vim-8.2.0239/src/version.c 2020-02-10 22:06:28.724574110 +0100 --- src/version.c 2020-02-10 22:28:17.239435285 +0100 *************** *** 744,745 **** --- 744,747 ---- { /* Add new patch number below this line */ + /**/ + 240, /**/ -- Master: Boy, there is nothing more for you to learn Student: I didn't know that! /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///