Mercurial > vim

diff src/ops.c @ 10104:b2dbe79639a2 v7.4.2323

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
commit https://github.com/vim/vim/commit/d77f9d595eb5f301b39b4373f2900a13c0ca30e2 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Sep 4 15:13:39 2016 +0200 patch 7.4.2323 Problem: Using freed memory when using 'formatexpr'. (Dominique Pelle) Solution: Make a copy of 'formatexpr' before evaluating it.
author Christian Brabandt <cb@256bit.org>
date Sun, 04 Sep 2016 15:15:06 +0200
parents 4aead6a9b7a9
children 99896ee0cac5
line wrap: on
line diff
--- a/src/ops.c
+++ b/src/ops.c
@@ -4741,6 +4741,7 @@ fex_format(
     int		use_sandbox = was_set_insecurely((char_u *)"formatexpr",
 								   OPT_LOCAL);
     int		r;
+    char_u	*fex;
 
     /*
      * Set v:lnum to the first line number and v:count to the number of lines.
@@ -4750,16 +4751,22 @@ fex_format(
     set_vim_var_nr(VV_COUNT, count);
     set_vim_var_char(c);
 
+    /* Make a copy, the option could be changed while calling it. */
+    fex = vim_strsave(curbuf->b_p_fex);
+    if (fex == NULL)
+	return 0;
+
     /*
      * Evaluate the function.
      */
     if (use_sandbox)
 	++sandbox;
-    r = (int)eval_to_number(curbuf->b_p_fex);
+    r = (int)eval_to_number(fex);
     if (use_sandbox)
 	--sandbox;
 
     set_vim_var_string(VV_CHAR, NULL, -1);
+    vim_free(fex);
 
     return r;
 }