Mercurial > vim
changeset 29410:be069ab9d583 v9.0.0047
patch 9.0.0047: using freed memory with recursive substitute
Commit: https://github.com/vim/vim/commit/32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea
Author: Bram Moolenaar <Bram@vim.org>
Date: Thu Jul 7 22:20:31 2022 +0100
patch 9.0.0047: using freed memory with recursive substitute
Problem: Using freed memory with recursive substitute.
Solution: Always make a copy for reg_prev_sub.
| author | Bram Moolenaar <Bram@vim.org> |
|---|---|
| date | Thu, 07 Jul 2022 23:30:02 +0200 |
| parents | 928bf80ce1e8 |
| children | 56462ac9f1ef |
| files | src/ex_cmds.c src/regexp.c src/testdir/test_regexp_latin.vim src/version.c |
| diffstat | 4 files changed, 27 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -3994,7 +3994,16 @@ ex_substitute(exarg_T *eap) sub_copy = sub; } else - sub = regtilde(sub, magic_isset()); + { + char_u *newsub = regtilde(sub, magic_isset()); + + if (newsub != sub) + { + // newsub was allocated, free it later. + sub_copy = newsub; + sub = newsub; + } + } /* * Check for a match on each line.
--- a/src/regexp.c +++ b/src/regexp.c @@ -1766,11 +1766,11 @@ regtilde(char_u *source, int magic) } } + // Store a copy of newsub in reg_prev_sub. It is always allocated, + // because recursive calls may make the returned string invalid. vim_free(reg_prev_sub); - if (newsub != source) // newsub was allocated, just keep it - reg_prev_sub = newsub; - else // no ~ found, need to save newsub - reg_prev_sub = vim_strsave(newsub); + reg_prev_sub = vim_strsave(newsub); + return newsub; }
--- a/src/testdir/test_regexp_latin.vim +++ b/src/testdir/test_regexp_latin.vim @@ -1114,4 +1114,15 @@ func Test_using_two_engines_pattern() bwipe! endfunc +func Test_recursive_substitute_expr() + new + func Repl() + s + endfunc + silent! s/\%')/~\=Repl() + + bwipe! + delfunc Repl +endfunc + " vim: shiftwidth=2 sts=2 expandtab