changeset 29814:1aec47ab35f0 v9.0.0246

patch 9.0.0246: using freed memory when 'tagfunc' deletes the buffer Commit: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c Author: Bram Moolenaar <Bram@vim.org> Date: Mon Aug 22 16:35:45 2022 +0100 patch 9.0.0246: using freed memory when 'tagfunc' deletes the buffer Problem: Using freed memory when 'tagfunc' deletes the buffer. Solution: Make a copy of the tag name.
author Bram Moolenaar <Bram@vim.org>
date Mon, 22 Aug 2022 17:45:03 +0200
parents dfd9d7ab4a5a
children 9941dc321348
files src/tag.c src/testdir/test_tagfunc.vim src/version.c
diffstat 3 files changed, 22 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/tag.c
+++ b/src/tag.c
@@ -281,6 +281,7 @@ do_tag(
     char_u	*buf_ffname = curbuf->b_ffname;	    // name to use for
 						    // priority computation
     int		use_tfu = 1;
+    char_u	*tofree = NULL;
 
     // remember the matches for the last used tag
     static int		num_matches = 0;
@@ -630,7 +631,12 @@ do_tag(
 	 * When desired match not found yet, try to find it (and others).
 	 */
 	if (use_tagstack)
-	    name = tagstack[tagstackidx].tagname;
+	{
+	    // make a copy, the tagstack may change in 'tagfunc'
+	    name = vim_strsave(tagstack[tagstackidx].tagname);
+	    vim_free(tofree);
+	    tofree = name;
+	}
 #if defined(FEAT_QUICKFIX)
 	else if (g_do_tagpreview != 0)
 	    name = ptag_entry.tagname;
@@ -922,6 +928,7 @@ end_do_tag:
     g_do_tagpreview = 0;	// don't do tag preview next time
 # endif
 
+    vim_free(tofree);
 #ifdef FEAT_CSCOPE
     return jumped_to_tag;
 #else
--- a/src/testdir/test_tagfunc.vim
+++ b/src/testdir/test_tagfunc.vim
@@ -389,4 +389,16 @@ func Test_tagfunc_callback()
   %bw!
 endfunc
 
+func Test_tagfunc_wipes_buffer()
+  func g:Tag0unc0(t,f,o)
+   bwipe
+  endfunc
+  set tagfunc=g:Tag0unc0
+  new
+  cal assert_fails('tag 0', 'E987:')
+
+  delfunc g:Tag0unc0
+  set tagfunc=
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -732,6 +732,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    246,
+/**/
     245,
 /**/
     244,