]> granicus.if.org Git - vim/commitdiff
projects / vim / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e519dfd)
patch 8.1.0738: using freed memory, for loop over blob leaks memory v8.1.0738
authorBram Moolenaar <Bram@vim.org>
Sun, 13 Jan 2019 15:07:21 +0000 (16:07 +0100)
committerBram Moolenaar <Bram@vim.org>
Sun, 13 Jan 2019 15:07:21 +0000 (16:07 +0100)
Problem:    Using freed memory, for loop over blob leaks memory.
Solution:   Clear pointer after freeing memory.  Decrement reference count
            after for loop over blob.

src/eval.c patch | blob | history
src/version.c patch | blob | history

diff --git a/src/eval.c b/src/eval.c
index 993a5bc73b065b50681455835abd89950212cc83..a5e358fe15f77c1d289a8937ab46bb1a758cf90e 100644 (file)
--- a/src/eval.c
+++ b/src/eval.c
@@ -2615,6 +2615,8 @@ eval_for_line(
                    clear_tv(&tv);
                else
                {
+                   // No need to increment the refcount, it's already set for
+                   // the blob being used in "tv".
                    fi->fi_blob = b;
                    fi->fi_bi = 0;
                }
@@ -2684,6 +2686,8 @@ free_for_info(void *fi_void)
        list_rem_watch(fi->fi_list, &fi->fi_lw);
        list_unref(fi->fi_list);
     }
+    if (fi != NULL && fi->fi_blob != NULL)
+       blob_unref(fi->fi_blob);
     vim_free(fi);
 }
 
@@ -4217,8 +4221,12 @@ eval7(
                    {
                        if (!vim_isxdigit(bp[1]))
                        {
-                           EMSG(_("E973: Blob literal should have an even number of hex characters"));
-                           vim_free(blob);
+                           if (blob != NULL)
+                           {
+                               EMSG(_("E973: Blob literal should have an even number of hex characters"));
+                               ga_clear(&blob->bv_ga);
+                               VIM_CLEAR(blob);
+                           }
                            ret = FAIL;
                            break;
                        }
@@ -4227,11 +4235,7 @@ eval7(
                                         (hex2nr(*bp) << 4) + hex2nr(*(bp+1)));
                    }
                    if (blob != NULL)
-                   {
-                       ++blob->bv_refcount;
-                       rettv->v_type = VAR_BLOB;
-                       rettv->vval.v_blob = blob;
-                   }
+                       rettv_blob_set(rettv, blob);
                    *arg = bp;
                }
                else
diff --git a/src/version.c b/src/version.c
index 9f4bbfce744df370fbfcac1c19adccd4b1df316f..5d1d06f56990ccbe23d63b02933fdb317789d733 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -795,6 +795,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    738,
 /**/
     737,
 /**/
Unnamed repository; edit this file 'description' to name the repository.