patch 8.2.4646: using buffer line after it has been freed

author Bram Moolenaar <Bram@vim.org>

Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)

committer Bram Moolenaar <Bram@vim.org>

Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)
author Bram Moolenaar <Bram@vim.org>
Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)
committer Bram Moolenaar <Bram@vim.org>
Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)
diff --git a/src/regexp_bt.c b/src/regexp_bt.c

index 4082f59d35cc31dd9968152af42c05a933ee999e..793faaf6bc0fd9fcdb7e6cc57555e481bb610570 100644 (file)
--- a/src/regexp_bt.c
+++ b/src/regexp_bt.c
@@ -3360,8 +3360,17 @@ regmatch(
                 int     mark = OPERAND(scan)[0];
                 int     cmp = OPERAND(scan)[1];
                 pos_T   *pos;
+               size_t  col = REG_MULTI ? rex.input - rex.line : 0;
  
                 pos = getmark_buf(rex.reg_buf, mark, FALSE);
+
+               // Line may have been freed, get it again.
+               if (REG_MULTI)
+               {
+                   rex.line = reg_getline(rex.lnum);
+                   rex.input = rex.line + col;
+               }
+
                 if (pos == NULL              // mark doesn't exist
                         || pos->lnum <= 0)   // mark isn't set in reg_buf
                 {
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim

index 71915be9eda896dd6fe4b378cfdc0913e48fa27e..fc9c81bfeea7a7ffa0e4f3043add0aaa0c872933 100644 (file)
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -1042,10 +1042,17 @@ endfunc
  
  func Test_using_mark_position()
    " this was using freed memory
+  " new engine
    new
    norm O0
    call assert_fails("s/\\%')", 'E486:')
    bwipe!
+
+  " old engine
+  new
+  norm O0
+  call assert_fails("s/\\%#=1\\%')", 'E486:')
+  bwipe!
  endfunc
  
  func Test_using_visual_position()
diff --git a/src/version.c b/src/version.c

index 03778bd5caa264920655c719d811e259153190d5..14fd1c369c95ee048382e09e4ab66d7872516fbd 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    4646,
  /**/
      4645,
  /**/
author	Bram Moolenaar <Bram@vim.org>
	Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)
committer	Bram Moolenaar <Bram@vim.org>
	Tue, 29 Mar 2022 12:24:58 +0000 (13:24 +0100)
src/regexp_bt.c		patch \| blob \| history
src/testdir/test_regexp_latin.vim		patch \| blob \| history
src/version.c		patch \| blob \| history