aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzeertzjq <zeertzjq@outlook.com>2023-05-13 22:29:07 +0800
committerzeertzjq <zeertzjq@outlook.com>2023-05-13 22:45:59 +0800
commit7eea6b12f98c4319d2f358ee1c1ebd3f5b2dfa62 (patch)
treeefa4f370ef380fb3131d09aaa1b1ec8dc373d248
parentf80cf0f84f6e39dc3dfd1697eb911ac28b6ec97d (diff)
downloadrneovim-7eea6b12f98c4319d2f358ee1c1ebd3f5b2dfa62.tar.gz
rneovim-7eea6b12f98c4319d2f358ee1c1ebd3f5b2dfa62.tar.bz2
rneovim-7eea6b12f98c4319d2f358ee1c1ebd3f5b2dfa62.zip
vim-patch:9.0.0490: using freed memory with cmdwin and BufEnter autocmd
Problem: Using freed memory with cmdwin and BufEnter autocmd. Solution: Make sure pointer to b_p_iminsert is still valid. https://github.com/vim/vim/commit/1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Co-authored-by: Bram Moolenaar <Bram@vim.org>
Diffstat
-rw-r--r--src/nvim/ex_getln.c14
-rw-r--r--test/old/testdir/test_cmdwin.vim10
2 files changed, 18 insertions, 6 deletions
diff --git a/src/nvim/ex_getln.c b/src/nvim/ex_getln.c
index 1345a29a21..a4c1863576 100644
--- a/src/nvim/ex_getln.c
+++ b/src/nvim/ex_getln.c
@@ -127,6 +127,7 @@ typedef struct command_line_state {
int break_ctrl_c;
expand_T xpc;
long *b_im_ptr;
+ buf_T *b_im_ptr_buf; ///< buffer where b_im_ptr is valid
} CommandLineState;
typedef struct cmdpreview_win_info {
@@ -736,7 +737,7 @@ static uint8_t *command_line_enter(int firstc, long count, int indent, bool clea
} else {
s->b_im_ptr = &curbuf->b_p_imsearch;
}
-
+ s->b_im_ptr_buf = curbuf;
if (*s->b_im_ptr == B_IMODE_LMAP) {
State |= MODE_LANGMAP;
}
@@ -1538,20 +1539,21 @@ static int command_line_erase_chars(CommandLineState *s)
/// language :lmap mappings and/or Input Method.
static void command_line_toggle_langmap(CommandLineState *s)
{
+ long *b_im_ptr = buf_valid(s->b_im_ptr_buf) ? s->b_im_ptr : NULL;
if (map_to_exists_mode("", MODE_LANGMAP, false)) {
// ":lmap" mappings exists, toggle use of mappings.
State ^= MODE_LANGMAP;
- if (s->b_im_ptr != NULL) {
+ if (b_im_ptr != NULL) {
if (State & MODE_LANGMAP) {
- *s->b_im_ptr = B_IMODE_LMAP;
+ *b_im_ptr = B_IMODE_LMAP;
} else {
- *s->b_im_ptr = B_IMODE_NONE;
+ *b_im_ptr = B_IMODE_NONE;
}
}
}
- if (s->b_im_ptr != NULL) {
- if (s->b_im_ptr == &curbuf->b_p_iminsert) {
+ if (b_im_ptr != NULL) {
+ if (b_im_ptr == &curbuf->b_p_iminsert) {
set_iminsert_global(curbuf);
} else {
set_imsearch_global(curbuf);
diff --git a/test/old/testdir/test_cmdwin.vim b/test/old/testdir/test_cmdwin.vim
index e54945f1b6..e53dd1cb6f 100644
--- a/test/old/testdir/test_cmdwin.vim
+++ b/test/old/testdir/test_cmdwin.vim
@@ -28,5 +28,15 @@ func Test_normal_escape()
call assert_equal('" bar', @:)
endfunc
+" This was using a pointer to a freed buffer
+func Test_cmdwin_freed_buffer_ptr()
+ au BufEnter * next 0| file
+ edit 0
+ silent! norm q/
+
+ au! BufEnter
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
generated by cgit (git 2.34.1) at 2025-04-28 19:43:44 +0000