]> granicus.if.org Git - vim/commitdiff
patch 8.2.3779: using freed memory when defining a user command recursively v8.2.3779
authorBram Moolenaar <Bram@vim.org>
Fri, 10 Dec 2021 21:46:09 +0000 (21:46 +0000)
committerBram Moolenaar <Bram@vim.org>
Fri, 10 Dec 2021 21:46:09 +0000 (21:46 +0000)
Problem:    Using freed memory when defining a user command from a user
            command.
Solution:   Do not use the command pointer after executing the command.
            (closes #9318)

src/testdir/test_usercommands.vim
src/usercmd.c
src/version.c

index d560f494889c73d38207f9d1d391b2766d08a8fb..b57ed0aa3a3180a69e78a6d9f94077dbf79749ec 100644 (file)
@@ -704,5 +704,24 @@ def Test_count_with_quotes()
   delcommand GetCount
 enddef
 
+func DefCmd(name)
+  if len(a:name) > 30
+    return
+  endif
+  exe 'command ' .. a:name .. ' call DefCmd("' .. a:name .. 'x")'
+  echo a:name
+  exe a:name
+endfunc
+
+func Test_recursive_define()
+  call DefCmd('Command')
+
+  let name = 'Command'
+  while len(name) < 30
+    exe 'delcommand ' .. name
+    let name ..= 'x'
+  endwhile
+endfunc
+
 
 " vim: shiftwidth=2 sts=2 expandtab
index 16fbb0db368068b67911b92fab4b56b4a5cf061a..0cc0034f31d92cd1d4fd209f7a2ecdb3cb418866 100644 (file)
@@ -1670,7 +1670,8 @@ do_ucmd(exarg_T *eap)
     size_t     split_len = 0;
     char_u     *split_buf = NULL;
     ucmd_T     *cmd;
-    sctx_T     save_current_sctx = current_sctx;
+    sctx_T     save_current_sctx;
+    int                restore_current_sctx = FALSE;
 
     if (eap->cmdidx == CMD_USER)
        cmd = USER_CMD(eap->useridx);
@@ -1771,14 +1772,20 @@ do_ucmd(exarg_T *eap)
 
     if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0)
     {
+       restore_current_sctx = TRUE;
+       save_current_sctx = current_sctx;
        current_sctx.sc_version = cmd->uc_script_ctx.sc_version;
 #ifdef FEAT_EVAL
        current_sctx.sc_sid = cmd->uc_script_ctx.sc_sid;
 #endif
     }
+
     (void)do_cmdline(buf, eap->getline, eap->cookie,
                                   DOCMD_VERBOSE|DOCMD_NOWAIT|DOCMD_KEYTYPED);
-    if ((cmd->uc_argt & EX_KEEPSCRIPT) == 0)
+
+    // Careful: Do not use "cmd" here, it may have become invalid if a user
+    // command was added.
+    if (restore_current_sctx)
        current_sctx = save_current_sctx;
     vim_free(buf);
     vim_free(split_buf);
index 265229f12c2533a7eb9f6f7359ab07f61190d496..25669afa1e9e0e38aaf33d4a8f35958b9e480093 100644 (file)
@@ -753,6 +753,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3779,
 /**/
     3778,
 /**/