vim: src/vim9compile.c comparison

comparison src/vim9compile.c @ 25507:1ac82ad3ee01 v8.2.3290

patch 8.2.3290: Vim9: compiling dict may use pointer after free Commit: https://github.com/vim/vim/commit/9fe17d473a6041e2ea85229f4fa09831d910def4 Author: Zdenek Dohnal <zdohnal@redhat.com> Date: Wed Aug 4 22:30:52 2021 +0200 patch 8.2.3290: Vim9: compiling dict may use pointer after free Problem: Vim9: compiling dict may use pointer after free and leak memory on failure. Solution: Pass a pointer to generate_PUSHS(). (Zdenek Dohnal, closes #8699)

author	Bram Moolenaar <Bram@vim.org>
date	Wed, 04 Aug 2021 22:45:04 +0200
parents	0160aff01c32
children	f7db86111acd

comparison

equal deleted inserted replaced

-:743c0fa9dd79
+:1ac82ad3ee01
 }
 #endif
 /*
 * Generate an ISN_PUSHS instruction.
-* Consumes "str".
+* Consumes "*str".  When freed *str is set to NULL, unless "str" is NULL.
 */
 static int
-generate_PUSHS(cctx_T *cctx, char_u *str)
+generate_PUSHS(cctx_T *cctx, char_u **str)
 {
 isn_T	*isn;
 if (cctx->ctx_skip == SKIP_YES)
 {
-	vim_free(str);
+	if (str != NULL)
+	    VIM_CLEAR(*str);
 	return OK;
 }
 if ((isn = generate_instr_type(cctx, ISN_PUSHS, &t_string)) == NULL)
-	return FAIL;
+{
-isn->isn_arg.string = str;
+	if (str != NULL)
+	    VIM_CLEAR(*str);
+	return FAIL;
+}
+isn->isn_arg.string = str == NULL ? NULL : *str;
 return OK;
 }
 /*
 	    case VAR_BLOB:
 		generate_PUSHBLOB(cctx, tv->vval.v_blob);
 		tv->vval.v_blob = NULL;
 		break;
 	    case VAR_STRING:
-		generate_PUSHS(cctx, tv->vval.v_string);
+		generate_PUSHS(cctx, &tv->vval.v_string);
 		tv->vval.v_string = NULL;
 		break;
 	    default:
 		iemsg("constant type not supported");
 		clear_tv(tv);
 	    // {'name': value},
 	    // {name: value} use "name" as a literal key
 	    key = get_literal_key(arg);
 	    if (key == NULL)
 		return FAIL;
-	    if (generate_PUSHS(cctx, key) == FAIL)
+	    if (generate_PUSHS(cctx, &key) == FAIL)
 		return FAIL;
 	}
 	// Check for duplicate keys, if using string keys.
 	if (key != NULL)
 else // if (*p == '.')
 {
 	char_u *key_end = to_name_end(p + 1, TRUE);
 	char_u *key = vim_strnsave(p + 1, key_end - p - 1);
-	r = generate_PUSHS(cctx, key);
+	r = generate_PUSHS(cctx, &key);
 }
 return r;
 }
 /*
 	if (cctx->ctx_skip != SKIP_YES)
 	{
 	    // Push each line and the create the list.
 	    FOR_ALL_LIST_ITEMS(l, li)
 	    {
-		generate_PUSHS(cctx, li->li_tv.vval.v_string);
+		generate_PUSHS(cctx, &li->li_tv.vval.v_string);
 		li->li_tv.vval.v_string = NULL;
 	    }
 	    generate_NEWLIST(cctx, l->lv_len);
 	}
 	list_free(l);
 	pat = vim_strnsave(tofree == NULL ? p + 1 : tofree, len);
 	vim_free(tofree);
 	p += len + 2 + dropped;
 	if (pat == NULL)
 	    return FAIL;
-	if (generate_PUSHS(cctx, pat) == FAIL)
+	if (generate_PUSHS(cctx, &pat) == FAIL)
 	    return FAIL;
 	if (generate_COMPARE(cctx, EXPR_MATCH, FALSE) == FAIL)
 	    return NULL;
 	// EXECCONCAT 5
 	for (;;)
 	{
 	    if (p > start)
 	    {
-		generate_PUSHS(cctx, vim_strnsave(start, p - start));
+		char_u *val = vim_strnsave(start, p - start);
+		generate_PUSHS(cctx, &val);
 		++count;
 	    }
 	    p += 2;
 	    if (compile_expr0(&p, cctx) == FAIL)
 		return NULL;
 	    p = (char_u *)strstr((char *)start, "`=");
 	    if (p == NULL)
 	    {
 		if (*skipwhite(start) != NUL)
 		{
-		    generate_PUSHS(cctx, vim_strsave(start));
+		    char_u *val = vim_strsave(start);
+		    generate_PUSHS(cctx, &val);
 		    ++count;
 		}
 		break;
 	    }
 	}
 	    case CMD_echo:
 	    case CMD_echon:
 	    case CMD_execute:
 	    case CMD_echomsg:
 	    case CMD_echoerr:
+	    // TODO:  "echoconsole"
 		    line = compile_mult_expr(p, ea.cmdidx, &cctx);
 		    break;
 	    case CMD_put:
 		    ea.cmd = cmd;
 #else
 		    ex_ni(&ea);
 		    line = NULL;
 #endif
 		    break;
-	    // TODO: any other commands with an expression argument?
 	    case CMD_append:
 	    case CMD_change:
 	    case CMD_insert:
 	    case CMD_k:

Mercurial > vim

comparison src/vim9compile.c @ 25507:1ac82ad3ee01 v8.2.3290