1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 21 Sep 2022 13:07:22 +0100
Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
Problem: Using freed memory when autocmd changes mark.
Solution: Copy the mark before editing another buffer.
---
src/mark.c | 12 +++++++-----
src/testdir/test_marks.vim | 13 +++++++++++++
src/version.c | 2 ++
3 files changed, 22 insertions(+), 5 deletions(-)
--- a/src/mark.c
+++ b/src/mark.c
@@ -252,17 +252,19 @@ movemark(int count)
fname2fnum(jmp);
if (jmp->fmark.fnum != curbuf->b_fnum)
{
- /* jump to other file */
- if (buflist_findnr(jmp->fmark.fnum) == NULL)
+ /* Make a copy, an autocommand may make "jmp" invalid. */
+ fmark_T fmark = jmp->fmark;
+
+ /* jump to the file with the mark */
+ if (buflist_findnr(fmark.fnum) == NULL)
{ /* Skip this one .. */
count += count < 0 ? -1 : 1;
continue;
}
- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
- 0, FALSE) == FAIL)
+ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
return (pos_T *)NULL;
/* Set lnum again, autocommands my have changed it */
- curwin->w_cursor = jmp->fmark.mark;
+ curwin->w_cursor = fmark.mark;
pos = (pos_T *)-1;
}
else
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
@@ -174,3 +174,16 @@ func Test_mark_error()
call assert_fails('mark xx', 'E488:')
call assert_fails('mark _', 'E191:')
endfunc
+" This was using freed memory
+func Test_jump_mark_autocmd()
+ next 00
+ edit 0
+ sargument
+ au BufEnter 0 all
+ sil norm ��
+
+ au! BufEnter
+ bwipe!
+endfunc
+
+
--- a/src/version.c
+++ b/src/version.c
@@ -2619,6 +2619,7 @@ static char *(extra_patches[]) =
"8.2.3409",
"8.2.3428",
"9.0.0490",
+ "9.0.0530",
/**/
NULL
};
|
