diff src/eval.c @ 15460:543cff56dd3f v8.1.0738

patch 8.1.0738: using freed memory, for loop over blob leaks memory commit https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72 Author: Bram Moolenaar <Bram@vim.org> Date: Sun Jan 13 16:07:21 2019 +0100 patch 8.1.0738: using freed memory, for loop over blob leaks memory Problem: Using freed memory, for loop over blob leaks memory. Solution: Clear pointer after freeing memory. Decrement reference count after for loop over blob.
author Bram Moolenaar <Bram@vim.org>
date Sun, 13 Jan 2019 16:15:06 +0100
parents 0f8065d7d68c
children 3faa7cc8207c
line wrap: on
line diff
--- a/src/eval.c
+++ b/src/eval.c
@@ -2615,6 +2615,8 @@ eval_for_line(
 		    clear_tv(&tv);
 		else
 		{
+		    // No need to increment the refcount, it's already set for
+		    // the blob being used in "tv".
 		    fi->fi_blob = b;
 		    fi->fi_bi = 0;
 		}
@@ -2684,6 +2686,8 @@ free_for_info(void *fi_void)
 	list_rem_watch(fi->fi_list, &fi->fi_lw);
 	list_unref(fi->fi_list);
     }
+    if (fi != NULL && fi->fi_blob != NULL)
+	blob_unref(fi->fi_blob);
     vim_free(fi);
 }
 
@@ -4217,8 +4221,12 @@ eval7(
 		    {
 			if (!vim_isxdigit(bp[1]))
 			{
-			    EMSG(_("E973: Blob literal should have an even number of hex characters"));
-			    vim_free(blob);
+			    if (blob != NULL)
+			    {
+				EMSG(_("E973: Blob literal should have an even number of hex characters"));
+				ga_clear(&blob->bv_ga);
+				VIM_CLEAR(blob);
+			    }
 			    ret = FAIL;
 			    break;
 			}
@@ -4227,11 +4235,7 @@ eval7(
 					 (hex2nr(*bp) << 4) + hex2nr(*(bp+1)));
 		    }
 		    if (blob != NULL)
-		    {
-			++blob->bv_refcount;
-			rettv->v_type = VAR_BLOB;
-			rettv->vval.v_blob = blob;
-		    }
+			rettv_blob_set(rettv, blob);
 		    *arg = bp;
 		}
 		else