Mercurial > vim

diff src/eval.c @ 10381:14a82c6433be v8.0.0085

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
commit https://github.com/vim/vim/commit/8a01f969c198eeb655ad2f96f2796a6f6f4a1924 Author: Bram Moolenaar <Bram@vim.org> Date: Mon Nov 14 21:50:00 2016 +0100 patch 8.0.0085 Problem: Using freed memory with recursive function call. (Dominique Pelle) Solution: Make a copy of the function name.
author Christian Brabandt <cb@256bit.org>
date Mon, 14 Nov 2016 22:00:04 +0100
parents 66f1b5bf3fa6
children d3f0946b4a80
line wrap: on
line diff
--- a/src/eval.c
+++ b/src/eval.c
@@ -4339,10 +4339,17 @@ eval7(
 		 * use its contents. */
 		s = deref_func_name(s, &len, &partial, !evaluate);
 
-		/* Invoke the function. */
-		ret = get_func_tv(s, len, rettv, arg,
-			  curwin->w_cursor.lnum, curwin->w_cursor.lnum,
-			  &len, evaluate, partial, NULL);
+		/* Need to make a copy, in case evaluating the arguments makes
+		 * the name invalid. */
+		s = vim_strsave(s);
+		if (s == NULL)
+		    ret = FAIL;
+		else
+		    /* Invoke the function. */
+		    ret = get_func_tv(s, len, rettv, arg,
+			      curwin->w_cursor.lnum, curwin->w_cursor.lnum,
+			      &len, evaluate, partial, NULL);
+		vim_free(s);
 
 		/* If evaluate is FALSE rettv->v_type was not set in
 		 * get_func_tv, but it's needed in handle_subscript() to parse