1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sat, 17 Sep 2022 19:43:23 +0100
Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
autocmd
Problem: Using freed memory with cmdwin and BufEnter autocmd.
Solution: Make sure pointer to b_p_iminsert is still valid.
---
src/ex_getln.c | 8 ++++++--
src/testdir/test_cmdwin.vim | 10 ++++++++++
src/version.c | 2 ++
3 files changed, 18 insertions(+), 2 deletions(-)
Backport: rewrote b_im_ptr handling
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -858,6 +858,7 @@ getcmdline_int(
#endif
expand_T xpc;
long *b_im_ptr = NULL;
+ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
struct cmdline_info save_ccline;
int did_save_ccline = FALSE;
int cmdline_type;
@@ -968,6 +969,7 @@ getcmdline_int(
b_im_ptr = &curbuf->b_p_iminsert;
else
b_im_ptr = &curbuf->b_p_imsearch;
+ b_im_ptr_buf = curbuf;
if (*b_im_ptr == B_IMODE_LMAP)
State |= LANGMAP;
#ifdef HAVE_INPUT_METHOD
@@ -1718,7 +1720,7 @@ getcmdline_int(
#ifdef HAVE_INPUT_METHOD
im_set_active(FALSE); /* Disable input method */
#endif
- if (b_im_ptr != NULL)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
{
if (State & LANGMAP)
*b_im_ptr = B_IMODE_LMAP;
@@ -1732,7 +1734,7 @@ getcmdline_int(
/* There are no ":lmap" mappings, toggle IM. When
* 'imdisable' is set don't try getting the status, it's
* always off. */
- if ((p_imdisable && b_im_ptr != NULL)
+ if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
? *b_im_ptr == B_IMODE_IM : im_get_status())
{
im_set_active(FALSE); /* Disable input method */
@@ -1742,12 +1744,12 @@ getcmdline_int(
else
{
im_set_active(TRUE); /* Enable input method */
- if (b_im_ptr != NULL)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
*b_im_ptr = B_IMODE_IM;
}
}
#endif
- if (b_im_ptr != NULL)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
{
if (b_im_ptr == &curbuf->b_p_iminsert)
set_iminsert_global();
@@ -2476,7 +2478,8 @@ returncmd:
State = save_State;
#ifdef HAVE_INPUT_METHOD
- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
+ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
+ && *b_im_ptr != B_IMODE_LMAP)
im_save_status(b_im_ptr);
im_set_active(FALSE);
#endif
--- /dev/null
+++ b/src/testdir/test_cmdwin.vim
@@ -0,0 +1,12 @@
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
+ edit 0
+ silent! norm q/
+
+ au! BufEnter
+ bwipe!
+endfunc
+
+
+" vim: shiftwidth=2 sts=2 expandtab
--- a/src/testdir/Make_all.mak
+++ b/src/testdir/Make_all.mak
@@ -89,6 +89,7 @@ NEW_TESTS = \
test_clientserver \
test_close_count \
test_cmdline \
+ test_cmdwin \
test_command_count \
test_comparators \
test_compiler \
--- a/src/version.c
+++ b/src/version.c
@@ -2618,6 +2618,7 @@ static char *(extra_patches[]) =
"8.2.3403",
"8.2.3409",
"8.2.3428",
+ "9.0.0490",
/**/
NULL
};
|