]> granicus.if.org Git - vim/commitdiff
patch 9.0.1050: using freed memory when assigning to variable twice v9.0.1050
authorBram Moolenaar <Bram@vim.org>
Mon, 12 Dec 2022 18:56:32 +0000 (18:56 +0000)
committerBram Moolenaar <Bram@vim.org>
Mon, 12 Dec 2022 18:56:32 +0000 (18:56 +0000)
Problem:    Using freed memory when assigning to variable twice.
Solution:   Make copy of the list type. (closes #11691)

src/testdir/test_vim9_script.vim
src/version.c
src/vim9type.c

index b6e1a89d24c4221997d6d333940340a727ed407c..c489ae55d8928b5b015c68903794d6ad1c13d5f6 100644 (file)
@@ -4519,6 +4519,36 @@ def Test_echo_uninit_variables()
   endif
 enddef
 
+def Test_free_type_before_use()
+  # this rather complicated script was freeing a type before using it
+  var lines =<< trim END
+      vim9script
+
+      def Scan(rel: list<dict<any>>): func(func(dict<any>))
+        return (Emit: func(dict<any>)) => {
+          for t in rel
+            Emit(t)
+          endfor
+        }
+      enddef
+
+      def Build(Cont: func(func(dict<any>))): list<dict<any>>
+        var rel: list<dict<any>> = []
+        Cont((t) => {
+            add(rel, t)
+        })
+        return rel
+      enddef
+
+      var R = [{A: 0}]
+      var result = Scan(R)->Build()
+      result = Scan(R)->Build()
+
+      assert_equal(R, result)
+  END
+  v9.CheckScriptSuccess(lines)
+enddef
+
 " Keep this last, it messes up highlighting.
 def Test_substitute_cmd()
   new
index 48d9250cb43bb612b032fc37a5b74c94e7aa80ec..f72d53796603d8d6410ed83cecbe1c3065e07d0d 100644 (file)
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1050,
 /**/
     1049,
 /**/
index f36fa5eea4500e5dbe51e8f89969dcb7f895396d..5d37ac5dce0518850226a84fcfdd6c88e4f10f81 100644 (file)
@@ -403,7 +403,8 @@ typval2type_int(typval_T *tv, int copyID, garray_T *type_gap, int flags)
        if (l->lv_type != NULL && (l->lv_first == NULL
                                           || (flags & TVTT_MORE_SPECIFIC) == 0
                                           || l->lv_type->tt_member != &t_any))
-           return l->lv_type;
+           // make a copy, lv_type may be freed if the list is freed
+           return copy_type(l->lv_type, type_gap);
        if (l->lv_first == &range_list_item)
            return &t_list_number;
        if (l->lv_copyID == copyID)