]> granicus.if.org Git - vim/commitdiff
projects / vim / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: baefde1)
patch 9.0.0047: using freed memory with recursive substitute v9.0.0047
authorBram Moolenaar <Bram@vim.org>
Thu, 7 Jul 2022 21:20:31 +0000 (22:20 +0100)
committerBram Moolenaar <Bram@vim.org>
Thu, 7 Jul 2022 21:20:31 +0000 (22:20 +0100)
Problem:    Using freed memory with recursive substitute.
Solution:   Always make a copy for reg_prev_sub.

src/ex_cmds.c patch | blob | history
src/regexp.c patch | blob | history
src/testdir/test_regexp_latin.vim patch | blob | history
src/version.c patch | blob | history

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index eb3016fe571e20d230f2ddba3c481c42a3c1f3b4..5253863c871f98f6d638dbe472e2025e90ce95bf 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap)
        sub_copy = sub;
     }
     else
-       sub = regtilde(sub, magic_isset());
+    {
+       char_u *newsub = regtilde(sub, magic_isset());
+
+       if (newsub != sub)
+       {
+           // newsub was allocated, free it later.
+           sub_copy = newsub;
+           sub = newsub;
+       }
+    }
 
     /*
      * Check for a match on each line.
diff --git a/src/regexp.c b/src/regexp.c
index 2cbe64eb89caea62d5b6d745cdf57d42c742dd9d..f35a5e8002b111e58e81f4bd12cad85c39967c63 100644 (file)
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic)
        }
     }
 
+    // Store a copy of newsub  in reg_prev_sub.  It is always allocated,
+    // because recursive calls may make the returned string invalid.
     vim_free(reg_prev_sub);
-    if (newsub != source)      // newsub was allocated, just keep it
-       reg_prev_sub = newsub;
-    else                       // no ~ found, need to save newsub
-       reg_prev_sub = vim_strsave(newsub);
+    reg_prev_sub = vim_strsave(newsub);
+
     return newsub;
 }
 
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 1fe4699d1064e98e49250cc3a2b7aea4f7b9a96c..dce6709ff779cbfceba2404a7fb4b55c9bf55549 100644 (file)
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern()
   bwipe!
 endfunc
 
+func Test_recursive_substitute_expr()
+  new
+  func Repl()
+    s
+  endfunc
+  silent! s/\%')/~\=Repl()
+
+  bwipe!
+  delfunc Repl
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index de8e968f42f8c92718498c1751c2a1512e3e4b03..2d917a83175f0f0fe8c2c4d966523fec27a3bcf7 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    47,
 /**/
     46,
 /**/
Unnamed repository; edit this file 'description' to name the repository.