patch 8.0.0942: using freed memory with ":terminal"

Problem:    Using freed memory with ":terminal" if an autocommand changes
            'shell' when splitting the window. (Marius Gedminas)
Solution:   Make a copy of 'shell'. (closes #1974)

diff --git a/src/terminal.c b/src/terminal.c
index d4a45fb8cb6c2c8588854eae39c29d239e151c1c..149679e3fc0fbe6d97b3e0a7cc7fc13d5e126f15 100644 (file)
--- a/src/terminal.c
+++ b/src/terminal.c
@@ -392,7 +392,8 @@ term_start(typval_T *argvar, jobopt_T *opt, int forceit)
     setup_job_options(opt, term->tl_rows, term->tl_cols);
 
     /* System dependent: setup the vterm and start the job in it. */
-    if (term_and_job_init(term, term->tl_rows, term->tl_cols, argvar, opt) == OK)
+    if (term_and_job_init(term, term->tl_rows, term->tl_cols, argvar, opt)
+                                                                        == OK)
     {
        /* Get and remember the size we ended up with.  Update the pty. */
        vterm_get_size(term->tl_vterm, &term->tl_rows, &term->tl_cols);
@@ -434,6 +435,7 @@ ex_terminal(exarg_T *eap)
     typval_T   argvar;
     jobopt_T   opt;
     char_u     *cmd;
+    char_u     *tofree = NULL;
 
     init_job_options(&opt);
 
@@ -462,7 +464,8 @@ ex_terminal(exarg_T *eap)
        cmd = skipwhite(p);
     }
     if (cmd == NULL || *cmd == NUL)
-       cmd = p_sh;
+       /* Make a copy, an autocommand may set 'shell'. */
+       tofree = cmd = vim_strsave(p_sh);
 
     if (eap->addr_count == 2)
     {
@@ -480,6 +483,7 @@ ex_terminal(exarg_T *eap)
     argvar.v_type = VAR_STRING;
     argvar.vval.v_string = cmd;
     term_start(&argvar, &opt, eap->forceit);
+    vim_free(tofree);
 }
 
 /*

diff --git a/src/version.c b/src/version.c
index d4617b0fd0a5bc0fed4a01c44e50952794148bfe..263b00492fdda09457899f9e3438a62097195faa 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -769,6 +769,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    942,
 /**/
     941,
 /**/