# HG changeset patch # User Bram Moolenaar # Date 1604666704 -3600 # Node ID 70eb58639009a87914ad5a73afc0ebf8f1557240 # Parent a0fd0f3ab597e2f2e783af19d72b9b82491a1041 patch 8.2.1962: netbeans may access freed memory Commit: https://github.com/vim/vim/commit/32e5ec0b017adb68fe36adb9a9a362abdaffe7f4 Author: Bram Moolenaar Date: Fri Nov 6 13:44:21 2020 +0100 patch 8.2.1962: netbeans may access freed memory Problem: Netbeans may access freed memory. Solution: Check the buffer pointer is still valid. Add a test. (Yegappan Lakshmanan, closes #7248) diff --git a/src/netbeans.c b/src/netbeans.c --- a/src/netbeans.c +++ b/src/netbeans.c @@ -572,7 +572,7 @@ nb_free(void) buf = buf_list[i]; vim_free(buf.displayname); vim_free(buf.signmap); - if (buf.bufp != NULL) + if (buf.bufp != NULL && buf_valid(buf.bufp)) { buf.bufp->b_netbeans_file = FALSE; buf.bufp->b_was_netbeans_file = FALSE; @@ -1943,15 +1943,13 @@ nb_do_cmd( if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH) { emsg("E532: highlighting color name too long in defineAnnoType"); - vim_free(typeName); + VIM_CLEAR(typeName); parse_error = TRUE; } else if (typeName != NULL && tooltip != NULL && glyphFile != NULL) addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg); - else - vim_free(typeName); - - // don't free typeName; it's used directly in addsigntype() + + vim_free(typeName); vim_free(fg); vim_free(bg); vim_free(tooltip); @@ -3240,7 +3238,7 @@ addsigntype( } } - globalsignmap[i] = (char *)typeName; + globalsignmap[i] = (char *)vim_strsave(typeName); globalsignmapused = i + 1; } diff --git a/src/testdir/test_netbeans.vim b/src/testdir/test_netbeans.vim --- a/src/testdir/test_netbeans.vim +++ b/src/testdir/test_netbeans.vim @@ -34,9 +34,9 @@ endfunc " Read the "Xnetbeans" file and filter out geometry messages. func ReadXnetbeans() let l = readfile("Xnetbeans") - " Xnetbeans may include '0:geometry=' messages on GUI environment if window + " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window " position, size, or z order are changed. Remove these messages because - " will causes troubles on check. + " these message will break the assert for the output. return filter(l, 'v:val !~ "^0:geometry="') endfunc @@ -388,7 +388,7 @@ func Nb_basic(port) call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1]) sleep 1m call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'}, - \ sign_getdefined()[0]) + \ sign_getdefined()->get(0, {})) let g:last += 3 " defineAnnoType with a long color name @@ -892,4 +892,44 @@ func Test_nb_quit_with_conn() call s:run_server('Nb_quit_with_conn') endfunc +func Nb_bwipe_buffer(port) + call delete("Xnetbeans") + call writefile([], "Xnetbeans") + + " Last line number in the Xnetbeans file. Used to verify the result of the + " communication with the netbeans server + let g:last = 0 + + " Establish the connection with the netbeans server + exe 'nbstart :localhost:' .. a:port .. ':bunny' + call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') + let l = ReadXnetbeans() + call assert_equal(['AUTH bunny', + \ '0:version=0 "2.5"', + \ '0:startupDone=0'], l[-3:]) + let g:last += 3 + + " Open the command buffer to communicate with the server + split Xcmdbuf + call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') + let l = ReadXnetbeans() + call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', + \ substitute(l[-3], '".*/', '"', '')) + call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', + \ substitute(l[-2], '".*/', '"', '')) + call assert_equal('1:startDocumentListen!16', l[-1]) + let g:last += 3 + + sleep 10m +endfunc + +" This test used to reference a buffer after it was freed leading to an ASAN +" error. +func Test_nb_bwipe_buffer() + call s:run_server('Nb_bwipe_buffer') + %bwipe! + sleep 100m + nbclose +endfunc + " vim: shiftwidth=2 sts=2 expandtab diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -751,6 +751,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1962, +/**/ 1961, /**/ 1960,