From adce965162dd89bf29ee0e5baf53652e7515762c Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Mon, 22 Aug 2022 16:35:45 +0100 Subject: [PATCH] patch 9.0.0246: using freed memory when 'tagfunc' deletes the buffer Problem: Using freed memory when 'tagfunc' deletes the buffer. Solution: Make a copy of the tag name. --- src/tag.c | 9 ++++++++- src/testdir/test_tagfunc.vim | 12 ++++++++++++ src/version.c | 2 ++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/tag.c b/src/tag.c index 8a351cc05..02f0818fe 100644 --- a/src/tag.c +++ b/src/tag.c @@ -281,6 +281,7 @@ do_tag( char_u *buf_ffname = curbuf->b_ffname; // name to use for // priority computation int use_tfu = 1; + char_u *tofree = NULL; // remember the matches for the last used tag static int num_matches = 0; @@ -630,7 +631,12 @@ do_tag( * When desired match not found yet, try to find it (and others). */ if (use_tagstack) - name = tagstack[tagstackidx].tagname; + { + // make a copy, the tagstack may change in 'tagfunc' + name = vim_strsave(tagstack[tagstackidx].tagname); + vim_free(tofree); + tofree = name; + } #if defined(FEAT_QUICKFIX) else if (g_do_tagpreview != 0) name = ptag_entry.tagname; @@ -922,6 +928,7 @@ end_do_tag: g_do_tagpreview = 0; // don't do tag preview next time # endif + vim_free(tofree); #ifdef FEAT_CSCOPE return jumped_to_tag; #else diff --git a/src/testdir/test_tagfunc.vim b/src/testdir/test_tagfunc.vim index 05d8473cf..95826121c 100644 --- a/src/testdir/test_tagfunc.vim +++ b/src/testdir/test_tagfunc.vim @@ -389,4 +389,16 @@ func Test_tagfunc_callback() %bw! endfunc +func Test_tagfunc_wipes_buffer() + func g:Tag0unc0(t,f,o) + bwipe + endfunc + set tagfunc=g:Tag0unc0 + new + cal assert_fails('tag 0', 'E987:') + + delfunc g:Tag0unc0 + set tagfunc= +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c index ec381fef2..ec1302df0 100644 --- a/src/version.c +++ b/src/version.c @@ -731,6 +731,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 246, /**/ 245, /**/ -- 2.40.0