Mercurial > vim
comparison src/eval.c @ 15460:543cff56dd3f v8.1.0738
patch 8.1.0738: using freed memory, for loop over blob leaks memory
commit https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Jan 13 16:07:21 2019 +0100
patch 8.1.0738: using freed memory, for loop over blob leaks memory
Problem: Using freed memory, for loop over blob leaks memory.
Solution: Clear pointer after freeing memory. Decrement reference count
after for loop over blob.
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Sun, 13 Jan 2019 16:15:06 +0100 |
| parents | 0f8065d7d68c |
| children | 3faa7cc8207c |
comparison
equal
deleted
inserted
replaced
| 15459:e9a83d4ac39c | 15460:543cff56dd3f |
|---|---|
| 2613 b = tv.vval.v_blob; | 2613 b = tv.vval.v_blob; |
| 2614 if (b == NULL) | 2614 if (b == NULL) |
| 2615 clear_tv(&tv); | 2615 clear_tv(&tv); |
| 2616 else | 2616 else |
| 2617 { | 2617 { |
| 2618 // No need to increment the refcount, it's already set for | |
| 2619 // the blob being used in "tv". | |
| 2618 fi->fi_blob = b; | 2620 fi->fi_blob = b; |
| 2619 fi->fi_bi = 0; | 2621 fi->fi_bi = 0; |
| 2620 } | 2622 } |
| 2621 } | 2623 } |
| 2622 else | 2624 else |
| 2682 if (fi != NULL && fi->fi_list != NULL) | 2684 if (fi != NULL && fi->fi_list != NULL) |
| 2683 { | 2685 { |
| 2684 list_rem_watch(fi->fi_list, &fi->fi_lw); | 2686 list_rem_watch(fi->fi_list, &fi->fi_lw); |
| 2685 list_unref(fi->fi_list); | 2687 list_unref(fi->fi_list); |
| 2686 } | 2688 } |
| 2689 if (fi != NULL && fi->fi_blob != NULL) | |
| 2690 blob_unref(fi->fi_blob); | |
| 2687 vim_free(fi); | 2691 vim_free(fi); |
| 2688 } | 2692 } |
| 2689 | 2693 |
| 2690 #if defined(FEAT_CMDL_COMPL) || defined(PROTO) | 2694 #if defined(FEAT_CMDL_COMPL) || defined(PROTO) |
| 2691 | 2695 |
| 4215 blob = blob_alloc(); | 4219 blob = blob_alloc(); |
| 4216 for (bp = *arg + 2; vim_isxdigit(bp[0]); bp += 2) | 4220 for (bp = *arg + 2; vim_isxdigit(bp[0]); bp += 2) |
| 4217 { | 4221 { |
| 4218 if (!vim_isxdigit(bp[1])) | 4222 if (!vim_isxdigit(bp[1])) |
| 4219 { | 4223 { |
| 4220 EMSG(_("E973: Blob literal should have an even number of hex characters")); | 4224 if (blob != NULL) |
| 4221 vim_free(blob); | 4225 { |
| 4226 EMSG(_("E973: Blob literal should have an even number of hex characters")); | |
| 4227 ga_clear(&blob->bv_ga); | |
| 4228 VIM_CLEAR(blob); | |
| 4229 } | |
| 4222 ret = FAIL; | 4230 ret = FAIL; |
| 4223 break; | 4231 break; |
| 4224 } | 4232 } |
| 4225 if (blob != NULL) | 4233 if (blob != NULL) |
| 4226 ga_append(&blob->bv_ga, | 4234 ga_append(&blob->bv_ga, |
| 4227 (hex2nr(*bp) << 4) + hex2nr(*(bp+1))); | 4235 (hex2nr(*bp) << 4) + hex2nr(*(bp+1))); |
| 4228 } | 4236 } |
| 4229 if (blob != NULL) | 4237 if (blob != NULL) |
| 4230 { | 4238 rettv_blob_set(rettv, blob); |
| 4231 ++blob->bv_refcount; | |
| 4232 rettv->v_type = VAR_BLOB; | |
| 4233 rettv->vval.v_blob = blob; | |
| 4234 } | |
| 4235 *arg = bp; | 4239 *arg = bp; |
| 4236 } | 4240 } |
| 4237 else | 4241 else |
| 4238 { | 4242 { |
| 4239 // decimal, hex or octal number | 4243 // decimal, hex or octal number |