]> granicus.if.org Git - vim/commitdiff
projects / vim / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8bb3fe4)
patch 8.2.3923: Vim9: double free with split argument list in nested function v8.2.3923
authorBram Moolenaar <Bram@vim.org>
Tue, 28 Dec 2021 17:23:12 +0000 (17:23 +0000)
committerBram Moolenaar <Bram@vim.org>
Tue, 28 Dec 2021 17:23:12 +0000 (17:23 +0000)
Problem:    Vim9: double free if a nested function has a line break in the
            argument list.
Solution:   Set cmdlinep when freeing the previous line.

src/testdir/test_vim9_func.vim patch | blob | history
src/userfunc.c patch | blob | history
src/version.c patch | blob | history

diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 1a14c101679576203531c38ad4fa15f775a4e7a0..88c0af8e0da5a8dfd74bfb2c2138b86e67bb7dbf 100644 (file)
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -1669,7 +1669,7 @@ def Test_error_in_nested_function()
   assert_fails('FuncWithForwardCall()', 'E1096:', '', 1, 'FuncWithForwardCall')
 enddef
 
-def Test_nested_functin_with_nextcmd()
+def Test_nested_function_with_nextcmd()
   var lines =<< trim END
       vim9script
       # Define an outer function
@@ -1689,6 +1689,24 @@ def Test_nested_functin_with_nextcmd()
   CheckScriptFailure(lines, 'E476: Invalid command: AAAAA')
 enddef
 
+def Test_nested_function_with_args_split()
+  var lines =<< trim END
+      vim9script
+      def FirstFunction()
+        def SecondFunction(
+        )
+        # had a double free if the right parenthesis of the nested function is
+        # on the next line
+         
+        enddef|BBBB
+      enddef
+      # Compile all functions
+      defcompile
+  END
+  # FIXME: this should fail on the BBBB
+  CheckScriptSuccess(lines)
+enddef
+
 def Test_return_type_wrong()
   CheckScriptFailure([
         'def Func(): number',
diff --git a/src/userfunc.c b/src/userfunc.c
index e1028e772816c0ada295bc557766f6648b511dfa..a7cbac3c8675b335f8e8387fe94cd41b304655cf 100644 (file)
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -219,6 +219,8 @@ get_function_args(
            if (theline == NULL)
                break;
            vim_free(*line_to_free);
+           if (*eap->cmdlinep == *line_to_free)
+               *eap->cmdlinep = theline;
            *line_to_free = theline;
            whitep = (char_u *)" ";
            p = skipwhite(theline);
diff --git a/src/version.c b/src/version.c
index 6c8bced722b26254640650ddafac2290e5677a13..5d22d98e8dadf58cafacc6aeaae106962925bd17 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -749,6 +749,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    3923,
 /**/
     3922,
 /**/
Unnamed repository; edit this file 'description' to name the repository.