Mercurial > vim

changeset 13144:20fb8c711050 v8.0.1446

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.1446: acessing freed memory after window command in auto command commit https://github.com/vim/vim/commit/6f361c991221e96d5068c77b854967d997b1529b Author: Bram Moolenaar <Bram@vim.org> Date: Wed Jan 31 19:06:50 2018 +0100 patch 8.0.1446: acessing freed memory after window command in auto command Problem: Acessing freed memory after window command in auto command. (gy741) Solution: Adjust the pointer in the parent frame. (Christian Brabandt, closes #2467)
author Christian Brabandt <cb@256bit.org>
date Wed, 31 Jan 2018 19:15:06 +0100
parents cf4e3ef40ba4
children e85e221ef3ce
files src/testdir/test_window_cmd.vim src/version.c src/window.c
diffstat 3 files changed, 22 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/testdir/test_window_cmd.vim
+++ b/src/testdir/test_window_cmd.vim
@@ -472,4 +472,15 @@ func Test_window_colon_command()
   exe "norm! v\<C-W>:\<C-U>echo v:version"
 endfunc
 
+func Test_access_freed_mem()
+  " This was accessing freed memory
+  au * 0 vs xxx
+  arg 0
+  argadd
+  all
+  all
+  au!
+  bwipe xxx
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -772,6 +772,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1446,
+/**/
     1445,
 /**/
     1444,
--- a/src/window.c
+++ b/src/window.c
@@ -2731,6 +2731,8 @@ winframe_remove(
 	if (frp2->fr_win != NULL)
 	    frp2->fr_win->w_frame = frp2->fr_parent;
 	frp = frp2->fr_parent;
+	if (topframe->fr_child == frp2)
+	    topframe->fr_child = frp;
 	vim_free(frp2);
 
 	frp2 = frp->fr_parent;
@@ -2754,6 +2756,8 @@ winframe_remove(
 		    break;
 		}
 	    }
+	    if (topframe->fr_child == frp)
+		topframe->fr_child = frp2;
 	    vim_free(frp);
 	}
     }
@@ -3499,7 +3503,6 @@ win_alloc_firstwin(win_T *oldwin)
     topframe = curwin->w_frame;
     topframe->fr_width = Columns;
     topframe->fr_height = Rows - p_ch;
-    topframe->fr_win = curwin;
 
     return OK;
 }
@@ -4812,7 +4815,12 @@ frame_remove(frame_T *frp)
     if (frp->fr_prev != NULL)
 	frp->fr_prev->fr_next = frp->fr_next;
     else
+    {
 	frp->fr_parent->fr_child = frp->fr_next;
+	/* special case: topframe->fr_child == frp */
+	if (topframe->fr_child == frp)
+	    topframe->fr_child = frp->fr_next;
+    }
     if (frp->fr_next != NULL)
 	frp->fr_next->fr_prev = frp->fr_prev;
 }