diff options
| author | f380cedric <f380cedric@users.noreply.github.com> | 2022-01-27 14:59:30 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-27 14:59:30 +0100 |
| commit | c5ac04331bdde5dd226c8e058103ed0fd1d140b7 (patch) | |
| tree | b28a0803debe17061b7a30a96a9ad35060adff27 | |
| parent | 5182627ce97162b90d8d6c34408c4ce937e1072c (diff) | |
| download | rneovim-c5ac04331bdde5dd226c8e058103ed0fd1d140b7.tar.gz rneovim-c5ac04331bdde5dd226c8e058103ed0fd1d140b7.tar.bz2 rneovim-c5ac04331bdde5dd226c8e058103ed0fd1d140b7.zip | |
vim-patch:8.2.3612: using freed memory with regexp using a mark (#16973)
Problem: Using freed memory with regexp using a mark.
Solution: Get the line again after getting the mark position.
https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
| -rw-r--r-- | src/nvim/regexp.c | 2 | ||||
| -rw-r--r-- | src/nvim/regexp_nfa.c | 7 | ||||
| -rw-r--r-- | src/nvim/testdir/test_regexp_latin.vim | 8 |
3 files changed, 16 insertions, 1 deletions
diff --git a/src/nvim/regexp.c b/src/nvim/regexp.c index 45e580dbee..c8508179a1 100644 --- a/src/nvim/regexp.c +++ b/src/nvim/regexp.c @@ -3232,7 +3232,7 @@ typedef struct { // The current match-position is remembered with these variables: linenr_T lnum; ///< line number, relative to first line char_u *line; ///< start of current line - char_u *input; ///< current input, points into "regline" + char_u *input; ///< current input, points into "line" int need_clear_subexpr; ///< subexpressions still need to be cleared int need_clear_zsubexpr; ///< extmatch subexpressions still need to be diff --git a/src/nvim/regexp_nfa.c b/src/nvim/regexp_nfa.c index cafffc0319..133858f113 100644 --- a/src/nvim/regexp_nfa.c +++ b/src/nvim/regexp_nfa.c @@ -6071,8 +6071,15 @@ static int nfa_regmatch(nfa_regprog_T *prog, nfa_state_T *start, case NFA_MARK_GT: case NFA_MARK_LT: { + size_t col = rex.input - rex.line; pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, false); + // Line may have been freed, get it again. + if (REG_MULTI) { + rex.line = reg_getline(rex.lnum); + rex.input = rex.line + col; + } + // Compare the mark position to the match position, if the mark // exists and mark is set in reg_buf. if (pos != NULL && pos->lnum > 0) { diff --git a/src/nvim/testdir/test_regexp_latin.vim b/src/nvim/testdir/test_regexp_latin.vim index 712f1e6025..a92f7e1192 100644 --- a/src/nvim/testdir/test_regexp_latin.vim +++ b/src/nvim/testdir/test_regexp_latin.vim @@ -787,4 +787,12 @@ func Test_regexp_error() set re& endfunc +func Test_using_mark_position() + " this was using freed memory + new + norm O0 + call assert_fails("s/\\%')", 'E486:') + bwipe! +endfunc + " vim: shiftwidth=2 sts=2 expandtab |