diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2022-06-24 06:30:47 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2022-06-24 07:26:06 +0800 |
| commit | 589f418fceadfbbc10a6d1d37dd5d2ed026342b5 (patch) | |
| tree | 386f4ed7ce2417f3a36a05ba620194206e86c6b0 | |
| parent | 0cf0be302beb3029d245814eca427f4a4ebd2f67 (diff) | |
| download | rneovim-589f418fceadfbbc10a6d1d37dd5d2ed026342b5.tar.gz rneovim-589f418fceadfbbc10a6d1d37dd5d2ed026342b5.tar.bz2 rneovim-589f418fceadfbbc10a6d1d37dd5d2ed026342b5.zip | |
vim-patch:8.2.4977: memory access error when substitute expression changes window
Problem: Memory access error when substitute expression changes window.
Solution: Disallow changing window in substitute expression.
https://github.com/vim/vim/commit/e2bd8600b873d2cd1f9d667c28cba8b1dba18839
"textwinlock" was renamed back to "textlock" in patch 8.2.5029.
| -rw-r--r-- | src/nvim/ex_cmds.c | 7 | ||||
| -rw-r--r-- | src/nvim/testdir/test_substitute.vim | 13 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/nvim/ex_cmds.c b/src/nvim/ex_cmds.c index 73e6e4a62f..7f929eec3e 100644 --- a/src/nvim/ex_cmds.c +++ b/src/nvim/ex_cmds.c @@ -4069,11 +4069,16 @@ static int do_sub(exarg_T *eap, proftime_T timeout, long cmdpreview_ns, handle_T // Save flags for recursion. They can change for e.g. // :s/^/\=execute("s#^##gn") subflags_T subflags_save = subflags; + + // Disallow changing text or switching window in an expression. + textlock++; // get length of substitution part sublen = vim_regsub_multi(®match, sub_firstlnum - regmatch.startpos[0].lnum, (char_u *)sub, (char_u *)sub_firstline, 0, REGSUB_BACKSLASH | (p_magic ? REGSUB_MAGIC : 0)); + textlock--; + // If getting the substitute string caused an error, don't do // the replacement. // Don't keep flags set by a recursive call @@ -4111,10 +4116,12 @@ static int do_sub(exarg_T *eap, proftime_T timeout, long cmdpreview_ns, handle_T int start_col = new_end - new_start; current_match.start.col = start_col; + textlock++; (void)vim_regsub_multi(®match, sub_firstlnum - regmatch.startpos[0].lnum, (char_u *)sub, (char_u *)new_end, sublen, REGSUB_COPY | REGSUB_BACKSLASH | (p_magic ? REGSUB_MAGIC : 0)); + textlock--; sub_nsubs++; did_sub = true; diff --git a/src/nvim/testdir/test_substitute.vim b/src/nvim/testdir/test_substitute.vim index c45f1e7ec6..2c24ce436f 100644 --- a/src/nvim/testdir/test_substitute.vim +++ b/src/nvim/testdir/test_substitute.vim @@ -838,6 +838,19 @@ func Test_using_old_sub() set nocompatible endfunc +" This was switching windows in between computing the length and using it. +func Test_sub_change_window() + silent! lfile + sil! norm o0000000000000000000000000000000000000000000000000000 + func Repl() + lopen + endfunc + silent! s/\%')/\=Repl() + bwipe! + bwipe! + delfunc Repl +endfunc + " Test for the 2-letter and 3-letter :substitute commands func Test_substitute_short_cmd() new |