changeset 11569:7003f241b6c7 v8.0.0667

patch 8.0.0667: memory access error when command follows :endfunc commit https://github.com/vim/vim/commit/53564f7c1a2998d92568e07fff1f2a4c1cecb646 Author: Bram Moolenaar <Bram@vim.org> Date: Sat Jun 24 14:48:11 2017 +0200 patch 8.0.0667: memory access error when command follows :endfunc Problem: Memory access error when command follows :endfunction. (Nikolai Pavlov) Solution: Make memory handling in :function straightforward. (closes #1793)
author Christian Brabandt <cb@256bit.org>
date Sat, 24 Jun 2017 15:00:03 +0200
parents 153311004f95
children 62504e4ce7ba
files src/testdir/test_vimscript.vim src/userfunc.c src/version.c
diffstat 3 files changed, 42 insertions(+), 21 deletions(-) [+]
line wrap: on
line diff
--- a/src/testdir/test_vimscript.vim
+++ b/src/testdir/test_vimscript.vim
@@ -1379,6 +1379,11 @@ func Test_endfunction_trailing()
     delfunc Xtest
     unlet done
 
+    " trailing line break
+    exe "func Xtest()\necho 'hello'\nendfunc\n"
+    call assert_true(exists('*Xtest'))
+    delfunc Xtest
+
     set verbose=1
     exe "func Xtest()\necho 'hello'\nendfunc \" garbage"
     call assert_notmatch('W22:', split(execute('1messages'), "\n")[0])
@@ -1390,6 +1395,11 @@ func Test_endfunction_trailing()
     call assert_true(exists('*Xtest'))
     delfunc Xtest
     set verbose=0
+
+    function Foo()
+	echo 'hello'
+    endfunction | echo 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+    delfunc Foo
 endfunc
 
 func Test_delfunction_force()
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -1780,6 +1780,7 @@ theend:
 ex_function(exarg_T *eap)
 {
     char_u	*theline;
+    char_u	*line_to_free = NULL;
     int		j;
     int		c;
     int		saved_did_emsg;
@@ -2093,10 +2094,15 @@ ex_function(exarg_T *eap)
 		line_arg = p + 1;
 	    }
 	}
-	else if (eap->getline == NULL)
-	    theline = getcmdline(':', 0L, indent);
 	else
-	    theline = eap->getline(':', eap->cookie, indent);
+	{
+	    vim_free(line_to_free);
+	    if (eap->getline == NULL)
+		theline = getcmdline(':', 0L, indent);
+	    else
+		theline = eap->getline(':', eap->cookie, indent);
+	    line_to_free = theline;
+	}
 	if (KeyTyped)
 	    lines_left = Rows - 1;
 	if (theline == NULL)
@@ -2130,18 +2136,29 @@ ex_function(exarg_T *eap)
 	    /* Check for "endfunction". */
 	    if (checkforcmd(&p, "endfunction", 4) && nesting-- == 0)
 	    {
+		char_u *nextcmd = NULL;
+
 		if (*p == '|')
-		    /* Another command follows. */
-		    eap->nextcmd = vim_strsave(p + 1);
+		    nextcmd = p + 1;
 		else if (line_arg != NULL && *skipwhite(line_arg) != NUL)
-		    /* Another command follows. */
-		    eap->nextcmd = line_arg;
+		    nextcmd = line_arg;
 		else if (*p != NUL && *p != '"' && p_verbose > 0)
 		    give_warning2(
 			 (char_u *)_("W22: Text found after :endfunction: %s"),
 			 p, TRUE);
-		if (line_arg == NULL)
-		    vim_free(theline);
+		if (nextcmd != NULL)
+		{
+		    /* Another command follows. If the line came from "eap" we
+		     * can simply point into it, otherwise we need to change
+		     * "eap->cmdlinep". */
+		    eap->nextcmd = nextcmd;
+		    if (line_to_free != NULL)
+		    {
+			vim_free(*eap->cmdlinep);
+			*eap->cmdlinep = line_to_free;
+			line_to_free = NULL;
+		    }
+		}
 		break;
 	    }
 
@@ -2212,24 +2229,15 @@ ex_function(exarg_T *eap)
 
 	/* Add the line to the function. */
 	if (ga_grow(&newlines, 1 + sourcing_lnum_off) == FAIL)
-	{
-	    if (line_arg == NULL)
-		vim_free(theline);
 	    goto erret;
-	}
 
 	/* Copy the line to newly allocated memory.  get_one_sourceline()
 	 * allocates 250 bytes per line, this saves 80% on average.  The cost
 	 * is an extra alloc/free. */
 	p = vim_strsave(theline);
-	if (p != NULL)
-	{
-	    if (line_arg == NULL)
-		vim_free(theline);
-	    theline = p;
-	}
-
-	((char_u **)(newlines.ga_data))[newlines.ga_len++] = theline;
+	if (p == NULL)
+	    goto erret;
+	((char_u **)(newlines.ga_data))[newlines.ga_len++] = p;
 
 	/* Add NULL lines for continuation lines, so that the line count is
 	 * equal to the index in the growarray.   */
@@ -2428,6 +2436,7 @@ errret_2:
     ga_clear_strings(&newlines);
 ret_free:
     vim_free(skip_until);
+    vim_free(line_to_free);
     vim_free(fudi.fd_newkey);
     vim_free(name);
     did_emsg |= saved_did_emsg;
--- a/src/version.c
+++ b/src/version.c
@@ -765,6 +765,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    667,
+/**/
     666,
 /**/
     665,