patch 8.0.0667: memory access error when command follows :endfunc

Problem:    Memory access error when command follows :endfunction. (Nikolai
            Pavlov)
Solution:   Make memory handling in :function straightforward. (closes #1793)

diff --git a/src/testdir/test_vimscript.vim b/src/testdir/test_vimscript.vim
index 13b32cdd4b5bff44b49abb510f25e18c6443d29e..29394c990b2aefc8295eba13950485399e884c1f 100644 (file)
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -1379,6 +1379,11 @@ func Test_endfunction_trailing()
     delfunc Xtest
     unlet done
 
+    " trailing line break
+    exe "func Xtest()\necho 'hello'\nendfunc\n"
+    call assert_true(exists('*Xtest'))
+    delfunc Xtest
+
     set verbose=1
     exe "func Xtest()\necho 'hello'\nendfunc \" garbage"
     call assert_notmatch('W22:', split(execute('1messages'), "\n")[0])
@@ -1390,6 +1395,11 @@ func Test_endfunction_trailing()
     call assert_true(exists('*Xtest'))
     delfunc Xtest
     set verbose=0
+
+    function Foo()
+       echo 'hello'
+    endfunction | echo 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+    delfunc Foo
 endfunc
 
 func Test_delfunction_force()

diff --git a/src/userfunc.c b/src/userfunc.c
index dfd7fcc24ac57d8bae5c5c691ed3bd6e121d8246..e187684551787a986990f8287da1b6ddba79c139 100644 (file)
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -1780,6 +1780,7 @@ theend:
 ex_function(exarg_T *eap)
 {
     char_u     *theline;
+    char_u     *line_to_free = NULL;
     int                j;
     int                c;
     int                saved_did_emsg;
@@ -2093,10 +2094,15 @@ ex_function(exarg_T *eap)
                line_arg = p + 1;
            }
        }
-       else if (eap->getline == NULL)
-           theline = getcmdline(':', 0L, indent);
        else
-           theline = eap->getline(':', eap->cookie, indent);
+       {
+           vim_free(line_to_free);
+           if (eap->getline == NULL)
+               theline = getcmdline(':', 0L, indent);
+           else
+               theline = eap->getline(':', eap->cookie, indent);
+           line_to_free = theline;
+       }
        if (KeyTyped)
            lines_left = Rows - 1;
        if (theline == NULL)
@@ -2130,18 +2136,29 @@ ex_function(exarg_T *eap)
            /* Check for "endfunction". */
            if (checkforcmd(&p, "endfunction", 4) && nesting-- == 0)
            {
+               char_u *nextcmd = NULL;
+
                if (*p == '|')
-                   /* Another command follows. */
-                   eap->nextcmd = vim_strsave(p + 1);
+                   nextcmd = p + 1;
                else if (line_arg != NULL && *skipwhite(line_arg) != NUL)
-                   /* Another command follows. */
-                   eap->nextcmd = line_arg;
+                   nextcmd = line_arg;
                else if (*p != NUL && *p != '"' && p_verbose > 0)
                    give_warning2(
                         (char_u *)_("W22: Text found after :endfunction: %s"),
                         p, TRUE);
-               if (line_arg == NULL)
-                   vim_free(theline);
+               if (nextcmd != NULL)
+               {
+                   /* Another command follows. If the line came from "eap" we
+                    * can simply point into it, otherwise we need to change
+                    * "eap->cmdlinep". */
+                   eap->nextcmd = nextcmd;
+                   if (line_to_free != NULL)
+                   {
+                       vim_free(*eap->cmdlinep);
+                       *eap->cmdlinep = line_to_free;
+                       line_to_free = NULL;
+                   }
+               }
                break;
            }
 
@@ -2212,24 +2229,15 @@ ex_function(exarg_T *eap)
 
        /* Add the line to the function. */
        if (ga_grow(&newlines, 1 + sourcing_lnum_off) == FAIL)
-       {
-           if (line_arg == NULL)
-               vim_free(theline);
            goto erret;
-       }
 
        /* Copy the line to newly allocated memory.  get_one_sourceline()
         * allocates 250 bytes per line, this saves 80% on average.  The cost
         * is an extra alloc/free. */
        p = vim_strsave(theline);
-       if (p != NULL)
-       {
-           if (line_arg == NULL)
-               vim_free(theline);
-           theline = p;
-       }
-
-       ((char_u **)(newlines.ga_data))[newlines.ga_len++] = theline;
+       if (p == NULL)
+           goto erret;
+       ((char_u **)(newlines.ga_data))[newlines.ga_len++] = p;
 
        /* Add NULL lines for continuation lines, so that the line count is
         * equal to the index in the growarray.   */
@@ -2428,6 +2436,7 @@ errret_2:
     ga_clear_strings(&newlines);
 ret_free:
     vim_free(skip_until);
+    vim_free(line_to_free);
     vim_free(fudi.fd_newkey);
     vim_free(name);
     did_emsg |= saved_did_emsg;

diff --git a/src/version.c b/src/version.c
index 52ed102658e089f527e524e8703e4048ff01aaf0..daa3531c12b19474b02db72ee4bc896686c72e6a 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    667,
 /**/
     666,
 /**/