# HG changeset patch # User Bram Moolenaar # Date 1547392506 -3600 # Node ID 543cff56dd3fb31c0a115f0837cafb635617f742 # Parent e9a83d4ac39c07538e6e1ec0c61fdbff2035d55d patch 8.1.0738: using freed memory, for loop over blob leaks memory commit https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72 Author: Bram Moolenaar Date: Sun Jan 13 16:07:21 2019 +0100 patch 8.1.0738: using freed memory, for loop over blob leaks memory Problem: Using freed memory, for loop over blob leaks memory. Solution: Clear pointer after freeing memory. Decrement reference count after for loop over blob. diff --git a/src/eval.c b/src/eval.c --- a/src/eval.c +++ b/src/eval.c @@ -2615,6 +2615,8 @@ eval_for_line( clear_tv(&tv); else { + // No need to increment the refcount, it's already set for + // the blob being used in "tv". fi->fi_blob = b; fi->fi_bi = 0; } @@ -2684,6 +2686,8 @@ free_for_info(void *fi_void) list_rem_watch(fi->fi_list, &fi->fi_lw); list_unref(fi->fi_list); } + if (fi != NULL && fi->fi_blob != NULL) + blob_unref(fi->fi_blob); vim_free(fi); } @@ -4217,8 +4221,12 @@ eval7( { if (!vim_isxdigit(bp[1])) { - EMSG(_("E973: Blob literal should have an even number of hex characters")); - vim_free(blob); + if (blob != NULL) + { + EMSG(_("E973: Blob literal should have an even number of hex characters")); + ga_clear(&blob->bv_ga); + VIM_CLEAR(blob); + } ret = FAIL; break; } @@ -4227,11 +4235,7 @@ eval7( (hex2nr(*bp) << 4) + hex2nr(*(bp+1))); } if (blob != NULL) - { - ++blob->bv_refcount; - rettv->v_type = VAR_BLOB; - rettv->vval.v_blob = blob; - } + rettv_blob_set(rettv, blob); *arg = bp; } else diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -796,6 +796,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 738, +/**/ 737, /**/ 736,