patch 8.2.5024: using freed memory with "]d"

Problem:    Using freed memory with "]d".
Solution:   Copy the pattern before searching.

diff --git a/src/normal.c b/src/normal.c
index 53c50dc8b368c54d2ee15694201ca64b184dc2d2..f075986551454050ac862398ed78afe8bd45e4f2 100644 (file)
--- a/src/normal.c
+++ b/src/normal.c
@@ -4464,6 +4464,11 @@ nv_brackets(cmdarg_T *cap)
            clearop(cap->oap);
        else
        {
+           // Make a copy, if the line was changed it will be freed.
+           ptr = vim_strnsave(ptr, len);
+           if (ptr == NULL)
+               return;
+
            find_pattern_in_path(ptr, 0, len, TRUE,
                cap->count0 == 0 ? !isupper(cap->nchar) : FALSE,
                ((cap->nchar & 0xf) == ('d' & 0xf)) ?  FIND_DEFINE : FIND_ANY,
@@ -4472,6 +4477,7 @@ nv_brackets(cmdarg_T *cap)
                            islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO,
                cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1,
                (linenr_T)MAXLNUM);
+           vim_free(ptr);
            curwin->w_set_curswant = TRUE;
        }
     }

diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 8b19c634d4dc9a5e1de2f1fc17c157c4abeaa82b..aacfb9baeb56fc739e90acf59fad68dc147152d1 100644 (file)
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
@@ -1399,6 +1399,12 @@ func Test_define_search()
   sil norm o0
   sil! norm \17\ 4
   bwipe!
+
+  new somefile
+  call setline(1, ['first line', '', '#define something 0'])
+  sil norm 0o0
+  sil! norm ]d
+  bwipe!
 endfunc
 
 " Test for [*, [/, ]* and ]/

diff --git a/src/version.c b/src/version.c
index cd6c33162204e712a746b389f6adaa51a5a764f0..ec52074c48bdba289a20537cc88f46ec051012b4 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    5024,
 /**/
     5023,
 /**/