patch 8.2.0240: using memory after it was freed

Problem:    Using memory after it was freed. (Dominique Pelle)
Solution:   Do not mix converion buffer with other buffer.

diff --git a/src/version.c b/src/version.c
index cf96f4051453af03b8e29d7da1ca8f0192d4388d..7eaf24bdd1994ccc4836f1f9d7c96970b5097917 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    240,
 /**/
     239,
 /**/

diff --git a/src/vim.h b/src/vim.h
index 12af8560c6fc8a00e2b77c149691e782016833d0..270109ace94bc7ed7a3f84e3babc45dc11d2f95d 100644 (file)
--- a/src/vim.h
+++ b/src/vim.h
@@ -1129,20 +1129,6 @@ extern int (*dyn_libintl_wputenv)(const wchar_t *envstring);
 #define VIMINFO_VERSION_WITH_REGISTERS 3
 #define VIMINFO_VERSION_WITH_MARKS 4
 
-typedef enum {
-    BVAL_NR,
-    BVAL_STRING,
-    BVAL_EMPTY
-} btype_T;
-
-typedef struct {
-    btype_T    bv_type;
-    long       bv_nr;
-    char_u     *bv_string;
-    int                bv_len;         // length of bv_string
-    int                bv_allocated;   // bv_string was allocated
-} bval_T;
-
 /*
  * Values for do_tag().
  */

diff --git a/src/viminfo.c b/src/viminfo.c
index b2b7ab28b0d54d2ceee2843851d1599dd5549435..897e8646296b32876738cb4f69771d5967ea31c6 100644 (file)
--- a/src/viminfo.c
+++ b/src/viminfo.c
@@ -26,6 +26,21 @@ typedef struct
     garray_T   vir_barlines;   // lines starting with |
 } vir_T;
 
+typedef enum {
+    BVAL_NR,
+    BVAL_STRING,
+    BVAL_EMPTY
+} btype_T;
+
+typedef struct {
+    btype_T    bv_type;
+    long       bv_nr;
+    char_u     *bv_string;
+    char_u     *bv_tofree;     // free later when not NULL
+    int                bv_len;         // length of bv_string
+    int                bv_allocated;   // bv_string was allocated
+} bval_T;
+
 #if defined(FEAT_VIMINFO) || defined(PROTO)
 
 static int  viminfo_errcnt;
@@ -1087,22 +1102,24 @@ barline_parse(vir_T *virp, char_u *text, garray_T *values)
            s[len] = NUL;
 
            converted = FALSE;
+           value->bv_tofree = NULL;
            if (virp->vir_conv.vc_type != CONV_NONE && *s != NUL)
            {
                sconv = string_convert(&virp->vir_conv, s, NULL);
                if (sconv != NULL)
                {
                    if (s == buf)
-                       vim_free(s);
+                       // the converted string is stored in bv_string and
+                       // freed later, also need to free "buf" later
+                       value->bv_tofree = buf;
                    s = sconv;
-                   buf = s;
                    converted = TRUE;
                }
            }
 
            // Need to copy in allocated memory if the string wasn't allocated
            // above and we did allocate before, thus vir_line may change.
-           if (s != buf && allocated)
+           if (s != buf && allocated && !converted)
                s = vim_strsave(s);
            value->bv_string = s;
            value->bv_type = BVAL_STRING;
@@ -2747,6 +2764,7 @@ read_viminfo_barline(vir_T *virp, int got_encoding, int force, int writing)
            vp = (bval_T *)values.ga_data + i;
            if (vp->bv_type == BVAL_STRING && vp->bv_allocated)
                vim_free(vp->bv_string);
+           vim_free(vp->bv_tofree);
        }
        ga_clear(&values);
     }