diff options
| author | zeertzjq <zeertzjq@outlook.com> | 2025-02-02 16:00:04 +0800 |
|---|---|---|
| committer | zeertzjq <zeertzjq@outlook.com> | 2025-02-03 11:27:56 +0800 |
| commit | 82ac8294c22a15899548a1cb408ca114a598f434 (patch) | |
| tree | d943adb6b56dd29638207ab335c87cdc7e3f6906 /src/nvim/eval/userfunc.c | |
| parent | b853ef770a25fcd91def6c5016d65c336897c2cc (diff) | |
| download | rneovim-82ac8294c22a15899548a1cb408ca114a598f434.tar.gz rneovim-82ac8294c22a15899548a1cb408ca114a598f434.tar.bz2 rneovim-82ac8294c22a15899548a1cb408ca114a598f434.zip | |
vim-patch:9.1.1066: heap-use-after-free and stack-use-after-scope with :14verbose
Problem: heap-use-after-free and stack-use-after-scope with :14verbose
when using :return and :try (after 9.1.1063).
Solution: Move back the vim_free(tofree) and the scope of numbuf[].
(zeertzjq)
closes: vim/vim#16563
https://github.com/vim/vim/commit/2101230f4013860dbafcb0cab3f4e6bc92fb6f35
Diffstat (limited to 'src/nvim/eval/userfunc.c')
| -rw-r--r-- | src/nvim/eval/userfunc.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/nvim/eval/userfunc.c b/src/nvim/eval/userfunc.c index 6e7d921068..402798cafa 100644 --- a/src/nvim/eval/userfunc.c +++ b/src/nvim/eval/userfunc.c @@ -3672,12 +3672,11 @@ bool do_return(exarg_T *eap, bool reanimate, bool is_cmd, void *rettv) char *get_return_cmd(void *rettv) { char *s = NULL; + char *tofree = NULL; size_t slen = 0; if (rettv != NULL) { - char *tofree = NULL; tofree = s = encode_tv2echo((typval_T *)rettv, NULL); - xfree(tofree); } if (s == NULL) { s = ""; @@ -3688,10 +3687,11 @@ char *get_return_cmd(void *rettv) xstrlcpy(IObuff, ":return ", IOSIZE); xstrlcpy(IObuff + 8, s, IOSIZE - 8); size_t IObufflen = 8 + slen; - if (slen + 8 >= IOSIZE) { + if (IObufflen >= IOSIZE) { STRCPY(IObuff + IOSIZE - 4, "..."); - IObufflen += 3; + IObufflen = IOSIZE - 1; } + xfree(tofree); return xstrnsave(IObuff, IObufflen); } |