Mercurial > vim
changeset 15460:543cff56dd3f v8.1.0738
patch 8.1.0738: using freed memory, for loop over blob leaks memory
commit https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Jan 13 16:07:21 2019 +0100
patch 8.1.0738: using freed memory, for loop over blob leaks memory
Problem: Using freed memory, for loop over blob leaks memory.
Solution: Clear pointer after freeing memory. Decrement reference count
after for loop over blob.
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Sun, 13 Jan 2019 16:15:06 +0100 |
| parents | e9a83d4ac39c |
| children | 7bfa59464de1 |
| files | src/eval.c src/version.c |
| diffstat | 2 files changed, 13 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/eval.c +++ b/src/eval.c @@ -2615,6 +2615,8 @@ eval_for_line( clear_tv(&tv); else { + // No need to increment the refcount, it's already set for + // the blob being used in "tv". fi->fi_blob = b; fi->fi_bi = 0; } @@ -2684,6 +2686,8 @@ free_for_info(void *fi_void) list_rem_watch(fi->fi_list, &fi->fi_lw); list_unref(fi->fi_list); } + if (fi != NULL && fi->fi_blob != NULL) + blob_unref(fi->fi_blob); vim_free(fi); } @@ -4217,8 +4221,12 @@ eval7( { if (!vim_isxdigit(bp[1])) { - EMSG(_("E973: Blob literal should have an even number of hex characters")); - vim_free(blob); + if (blob != NULL) + { + EMSG(_("E973: Blob literal should have an even number of hex characters")); + ga_clear(&blob->bv_ga); + VIM_CLEAR(blob); + } ret = FAIL; break; } @@ -4227,11 +4235,7 @@ eval7( (hex2nr(*bp) << 4) + hex2nr(*(bp+1))); } if (blob != NULL) - { - ++blob->bv_refcount; - rettv->v_type = VAR_BLOB; - rettv->vval.v_blob = blob; - } + rettv_blob_set(rettv, blob); *arg = bp; } else