patch 8.2.3428: using freed memory when replacing

Problem:    Using freed memory when replacing. (Dhiraj Mishra)
Solution:   Get the line pointer after calling ins_copychar().

diff --git a/src/normal.c b/src/normal.c
index 0e1e11801c7e420b71df934e8e55b486e5c77fdb..6620af9245bfaff31fa142ea8ea367c4b5f2aa38 100644 (file)
--- a/src/normal.c
+++ b/src/normal.c
@@ -5099,19 +5099,23 @@ nv_replace(cmdarg_T *cap)
            {
                /*
                 * Get ptr again, because u_save and/or showmatch() will have
-                * released the line.  At the same time we let know that the
-                * line will be changed.
+                * released the line.  This may also happen in ins_copychar().
+                * At the same time we let know that the line will be changed.
                 */
-               ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
                if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
                {
                  int c = ins_copychar(curwin->w_cursor.lnum
                                           + (cap->nchar == Ctrl_Y ? -1 : 1));
+
+                 ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
                  if (c != NUL)
                    ptr[curwin->w_cursor.col] = c;
                }
                else
+               {
+                   ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
                    ptr[curwin->w_cursor.col] = cap->nchar;
+               }
                if (p_sm && msg_silent == 0)
                    showmatch(cap->nchar);
                ++curwin->w_cursor.col;

diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
index 3fcc11f2d80229e7b1604affffdc0c6c08450207..518c21ea841ccb4f9e07eb412d25b88a2b40323b 100644 (file)
--- a/src/testdir/test_edit.vim
+++ b/src/testdir/test_edit.vim
@@ -1895,4 +1895,16 @@ func Test_edit_revins()
   bw!
 endfunc
 
+" Test for getting the character of the line below after "p"
+func Test_edit_put_CTRL_E()
+  set encoding=latin1
+  new
+  let @" = ''
+  sil! norm or\ 3ggRx
+  sil! norm pr\ 5
+  call assert_equal(['r', 'r'], getline(1, 2))
+  bwipe!
+  set encoding=utf-8
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index f82881fc06975e1b000c51e0e18e3c07b934178f..2d6f6c7bfd33ca98038e7dc08ee818f8f5e39731 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -755,6 +755,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3428,
 /**/
     3427,
 /**/