From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 19 Feb 2017 20:07:04 +0000 (+0100)
Subject: patch 8.0.0342: double free with EXITFREE and setting 'ttytype'
X-Git-Tag: v8.0.0342
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=673911457d6745b6b779eb769c2f41965592d12c;p=vim

patch 8.0.0342: double free with EXITFREE and setting 'ttytype'

Problem:    Double free when compiled with EXITFREE and setting 'ttytype'.
Solution:   Avoid setting P_ALLOCED on 'ttytype'. (Dominique Pelle,
            closes #1461)
---

diff --git a/src/option.c b/src/option.c
index b5f3a9a86..48a8048cb 100644
--- a/src/option.c
+++ b/src/option.c
@@ -3775,7 +3775,7 @@ free_all_options(void)
 	if (options[i].indir == PV_NONE)
 	{
 	    /* global option: free value and default value. */
-	    if (options[i].flags & P_ALLOCED && options[i].var != NULL)
+	    if ((options[i].flags & P_ALLOCED) && options[i].var != NULL)
 		free_string_option(*(char_u **)options[i].var);
 	    if (options[i].flags & P_DEF_ALLOCED)
 		free_string_option(options[i].def_val[VI_DEFAULT]);
@@ -5929,8 +5929,14 @@ did_set_string_option(
 	else if (set_termname(T_NAME) == FAIL)
 	    errmsg = (char_u *)N_("E522: Not found in termcap");
 	else
+	{
 	    /* Screen colors may have changed. */
 	    redraw_later_clear();
+
+	    /* Both 'term' and 'ttytype' point to T_NAME, only set the
+	     * P_ALLOCED flag on 'term'. */
+	    opt_idx = findoption((char_u *)"term");
+	}
     }
 
     /* 'backupcopy' */
diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim
index 31a87af70..9ac46f243 100644
--- a/src/testdir/test_options.vim
+++ b/src/testdir/test_options.vim
@@ -235,3 +235,22 @@ func Test_set_errors()
   call assert_fails("set showbreak=\x01", 'E595:')
   call assert_fails('set t_foo=', 'E846:')
 endfunc
+
+func Test_set_ttytype()
+  if !has('gui_running') && has('unix')
+    " Setting 'ttytype' used to cause a double-free when exiting vim and
+    " when vim is compiled with -DEXITFREE.
+    set ttytype=ansi
+    call assert_equal('ansi', &ttytype)
+    call assert_equal(&ttytype, &term)
+    set ttytype=xterm
+    call assert_equal('xterm', &ttytype)
+    call assert_equal(&ttytype, &term)
+    " FIXME: "set ttytype=" gives E522 instead of E529
+    " in travis on some builds. Why? Commented out this test for now.
+    " call assert_fails('set ttytype=', 'E529:')
+    call assert_fails('set ttytype=xxx', 'E522:')
+    set ttytype&
+    call assert_equal(&ttytype, &term)
+  endif
+endfunc
diff --git a/src/version.c b/src/version.c
index f12c508d4..c1dff6cff 100644
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    342,
 /**/
     341,
 /**/