changeset 13990:017c5462ed5e v8.1.0013

patch 8.1.0013: using freed memory when changing terminal cursor color commit https://github.com/vim/vim/commit/4f7fd56b423245786f223a370c6fbfc12e3f37eb Author: Bram Moolenaar <Bram@vim.org> Date: Mon May 21 14:55:28 2018 +0200 patch 8.1.0013: using freed memory when changing terminal cursor color Problem: Using freed memory when changing terminal cursor color. Solution: Make a copy of the color. (Dominique Pelle, closes https://github.com/vim/vim/issues/2938, closes #2941)
author Christian Brabandt <cb@256bit.org>
date Mon, 21 May 2018 15:00:07 +0200
parents 12d747cf6cb2
children e34014a5bfd8
files src/terminal.c src/version.c
diffstat 2 files changed, 33 insertions(+), 21 deletions(-) [+]
line wrap: on
line diff
--- a/src/terminal.c
+++ b/src/terminal.c
@@ -171,8 +171,8 @@ static int term_default_cterm_bg = -1;
 
 /* Store the last set and the desired cursor properties, so that we only update
  * them when needed.  Doing it unnecessary may result in flicker. */
-static char_u	*last_set_cursor_color = (char_u *)"";
-static char_u	*desired_cursor_color = (char_u *)"";
+static char_u	*last_set_cursor_color = NULL;
+static char_u	*desired_cursor_color = NULL;
 static int	last_set_cursor_shape = -1;
 static int	desired_cursor_shape = -1;
 static int	last_set_cursor_blink = -1;
@@ -183,6 +183,28 @@ static int	desired_cursor_blink = -1;
  * 1. Generic code for all systems.
  */
 
+    static void
+cursor_color_copy(char_u** to_color, char_u* from_color)
+{
+    vim_free(*to_color);
+    *to_color = (from_color == NULL) ? NULL : vim_strsave(from_color);
+}
+
+	static int
+cursor_color_equal(char_u *lhs_color, char_u *rhs_color)
+{
+    if (lhs_color != NULL && rhs_color != NULL)
+	return STRCMP(lhs_color, rhs_color) == 0;
+    return lhs_color == NULL && rhs_color == NULL;
+}
+
+	static char_u *
+cursor_color_get(char_u *color)
+{
+    return (color == NULL) ? (char_u *)"" : color;
+}
+
+
 /*
  * Parse 'termwinsize' and set "rows" and "cols" for the terminal size in the
  * current window.
@@ -823,8 +845,6 @@ free_terminal(buf_T *buf)
     if (term->tl_out_fd != NULL)
 	fclose(term->tl_out_fd);
 #endif
-    if (desired_cursor_color == term->tl_cursor_color)
-	desired_cursor_color = (char_u *)"";
     vim_free(term->tl_cursor_color);
     vim_free(term);
     buf->b_term = NULL;
@@ -1954,14 +1974,14 @@ term_get_cursor_shape(guicolor_T *fg, gu
     static void
 may_output_cursor_props(void)
 {
-    if (STRCMP(last_set_cursor_color, desired_cursor_color) != 0
+    if (!cursor_color_equal(last_set_cursor_color, desired_cursor_color)
 	    || last_set_cursor_shape != desired_cursor_shape
 	    || last_set_cursor_blink != desired_cursor_blink)
     {
-	last_set_cursor_color = desired_cursor_color;
+	cursor_color_copy(&last_set_cursor_color, desired_cursor_color);
 	last_set_cursor_shape = desired_cursor_shape;
 	last_set_cursor_blink = desired_cursor_blink;
-	term_cursor_color(desired_cursor_color);
+	term_cursor_color(cursor_color_get(desired_cursor_color));
 	if (desired_cursor_shape == -1 || desired_cursor_blink == -1)
 	    /* this will restore the initial cursor style, if possible */
 	    ui_cursor_shape_forced(TRUE);
@@ -1984,10 +2004,7 @@ may_set_cursor_props(term_T *term)
 #endif
     if (in_terminal_loop == term)
     {
-	if (term->tl_cursor_color != NULL)
-	    desired_cursor_color = term->tl_cursor_color;
-	else
-	    desired_cursor_color = (char_u *)"";
+	cursor_color_copy(&desired_cursor_color, term->tl_cursor_color);
 	desired_cursor_shape = term->tl_cursor_shape;
 	desired_cursor_blink = term->tl_cursor_blink;
 	may_output_cursor_props();
@@ -2004,7 +2021,7 @@ prepare_restore_cursor_props(void)
     if (gui.in_use)
 	return;
 #endif
-    desired_cursor_color = (char_u *)"";
+    cursor_color_copy(&desired_cursor_color, NULL);
     desired_cursor_shape = -1;
     desired_cursor_blink = -1;
     may_output_cursor_props();
@@ -2624,13 +2641,7 @@ handle_settermprop(
 	    break;
 
 	case VTERM_PROP_CURSORCOLOR:
-	    if (desired_cursor_color == term->tl_cursor_color)
-		desired_cursor_color = (char_u *)"";
-	    vim_free(term->tl_cursor_color);
-	    if (*value->string == NUL)
-		term->tl_cursor_color = NULL;
-	    else
-		term->tl_cursor_color = vim_strsave((char_u *)value->string);
+	    cursor_color_copy(&term->tl_cursor_color, (char_u*)value->string);
 	    may_set_cursor_props(term);
 	    break;
 
@@ -4711,8 +4722,7 @@ f_term_getcursor(typval_T *argvars, typv
 	dict_add_nr_str(d, "blink", blink_state_is_inverted()
 		       ? !term->tl_cursor_blink : term->tl_cursor_blink, NULL);
 	dict_add_nr_str(d, "shape", term->tl_cursor_shape, NULL);
-	dict_add_nr_str(d, "color", 0L, term->tl_cursor_color == NULL
-				       ? (char_u *)"" : term->tl_cursor_color);
+	dict_add_nr_str(d, "color", 0L, cursor_color_get(term->tl_cursor_color));
 	list_append_dict(l, d);
     }
 }
--- a/src/version.c
+++ b/src/version.c
@@ -762,6 +762,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    13,
+/**/
     12,
 /**/
     11,