changeset 29367:cc4b36422ecb v9.0.0026

patch 9.0.0026: accessing freed memory with diff put Commit: https://github.com/vim/vim/commit/c5274dd12224421f2430b30c53b881b9403d649e Author: Bram Moolenaar <Bram@vim.org> Date: Sat Jul 2 15:10:00 2022 +0100 patch 9.0.0026: accessing freed memory with diff put Problem: Accessing freed memory with diff put. Solution: Bail out when diff pointer is no longer valid.
author Bram Moolenaar <Bram@vim.org>
date Sat, 02 Jul 2022 16:15:03 +0200
parents d937ba61d344
children 8828385b55da
files src/diff.c src/version.c
diffstat 2 files changed, 24 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/diff.c
+++ b/src/diff.c
@@ -2643,6 +2643,20 @@ nv_diffgetput(int put, long count)
 }
 
 /*
+ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
+ */
+    static int
+valid_diff(diff_T *diff)
+{
+    diff_T	*dp;
+
+    for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
+	if (dp == diff)
+	    return TRUE;
+    return FALSE;
+}
+
+/*
  * ":diffget"
  * ":diffput"
  */
@@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap)
 		}
 	    }
 
-	    // Adjust marks.  This will change the following entries!
 	    if (added != 0)
 	    {
+		// Adjust marks.  This will change the following entries!
 		mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
 		if (curwin->w_cursor.lnum >= lnum)
 		{
@@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap)
 #endif
 		vim_free(dfree);
 	    }
-	    else
+
+	    // mark_adjust() may have made "dp" invalid.  We don't know where
+	    // to continue then, bail out.
+	    if (added != 0 && !valid_diff(dp))
+		break;
+
+	    if (dfree == NULL)
 		// mark_adjust() may have changed the count in a wrong way
 		dp->df_count[idx_to] = new_count;
 
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    26,
+/**/
     25,
 /**/
     24,