patch 9.0.1095: using freed memory when declaration fails

Problem:    Using freed memory when declaration fails. (Yegappan Lakshmanan)
Solution:   After unreferencing an object set the reference to NULL.

diff --git a/src/testdir/test_vim9_class.vim b/src/testdir/test_vim9_class.vim
index c73e80fb629d5302af797d1c51f2da3281470ba5..7e4c92dda62c3bf6893e84e0cda3af2fc5dd3de4 100644 (file)
--- a/src/testdir/test_vim9_class.vim
+++ b/src/testdir/test_vim9_class.vim
@@ -349,6 +349,22 @@ def Test_class_object_member_access()
       assert_equal('make = 123', c2.GetMake())
   END
   v9.CheckScriptSuccess(lines)
+
+  lines =<< trim END
+      vim9script
+
+      class MyCar
+        this.make: string
+
+        def new(make_arg: string)
+            this.make = make_arg
+        enddef
+      endclass
+
+      var c = MyCar.new("abc")
+      var c = MyCar.new("def")
+  END
+  v9.CheckScriptFailure(lines, 'E1041:')
 enddef
 
 def Test_class_member_access()

diff --git a/src/typval.c b/src/typval.c
index 98915ccca9022ef4d2c226c634c50cc3958be517..6eae02b78e30b84d817186b1b3f20c7f86fc1549 100644 (file)
--- a/src/typval.c
+++ b/src/typval.c
@@ -162,9 +162,11 @@ clear_tv(typval_T *varp)
                break;
            case VAR_CLASS:
                class_unref(varp->vval.v_class);
+               varp->vval.v_class = NULL;
                break;
            case VAR_OBJECT:
                object_unref(varp->vval.v_object);
+               varp->vval.v_object = NULL;
                break;
            case VAR_UNKNOWN:
            case VAR_ANY:

diff --git a/src/version.c b/src/version.c
index 95d2a6b6abd49ac1f305be13c330795a44829bfb..36d3f81ff8c4dee7b3c53c83d2be76f7036590ef 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1095,
 /**/
     1094,
 /**/