Mercurial > vim
changeset 10104:b2dbe79639a2 v7.4.2323
commit https://github.com/vim/vim/commit/d77f9d595eb5f301b39b4373f2900a13c0ca30e2
Author: Bram Moolenaar <Bram@vim.org>
Date: Sun Sep 4 15:13:39 2016 +0200
patch 7.4.2323
Problem: Using freed memory when using 'formatexpr'. (Dominique Pelle)
Solution: Make a copy of 'formatexpr' before evaluating it.
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 04 Sep 2016 15:15:06 +0200 |
| parents | b2c8f28c83df |
| children | 5aca505bbcfe |
| files | src/ops.c src/testdir/test_normal.vim src/version.c |
| diffstat | 3 files changed, 34 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ops.c +++ b/src/ops.c @@ -4741,6 +4741,7 @@ fex_format( int use_sandbox = was_set_insecurely((char_u *)"formatexpr", OPT_LOCAL); int r; + char_u *fex; /* * Set v:lnum to the first line number and v:count to the number of lines. @@ -4750,16 +4751,22 @@ fex_format( set_vim_var_nr(VV_COUNT, count); set_vim_var_char(c); + /* Make a copy, the option could be changed while calling it. */ + fex = vim_strsave(curbuf->b_p_fex); + if (fex == NULL) + return 0; + /* * Evaluate the function. */ if (use_sandbox) ++sandbox; - r = (int)eval_to_number(curbuf->b_p_fex); + r = (int)eval_to_number(fex); if (use_sandbox) --sandbox; set_vim_var_string(VV_CHAR, NULL, -1); + vim_free(fex); return r; }
--- a/src/testdir/test_normal.vim +++ b/src/testdir/test_normal.vim @@ -192,6 +192,30 @@ func! Test_normal05_formatexpr() bw! endfu +func Test_normal05_formatexpr_newbuf() + " Edit another buffer in the 'formatexpr' function + new + func! Format() + edit another + endfunc + set formatexpr=Format() + norm gqG + bw! + set formatexpr= +endfunc + +func Test_normal05_formatexpr_setopt() + " Change the 'formatexpr' value in the function + new + func! Format() + set formatexpr= + endfunc + set formatexpr=Format() + norm gqG + bw! + set formatexpr= +endfunc + func! Test_normal06_formatprg() " basic test for formatprg " only test on non windows platform