diff options
| author | oni-link <knil.ino@gmail.com> | 2015-03-12 14:05:16 +0100 |
|---|---|---|
| committer | Justin M. Keyes <justinkz@gmail.com> | 2015-03-13 17:26:54 -0400 |
| commit | a916696a130b2bb9517c01f77148dfb77ef304fd (patch) | |
| tree | 43758e9c3e99a1ad65749be58a2f04f9f14a8fe8 /src/nvim/syntax.c | |
| parent | bdbbdb5888e18025b0f95849a88fe6cb53454183 (diff) | |
| download | rneovim-a916696a130b2bb9517c01f77148dfb77ef304fd.tar.gz rneovim-a916696a130b2bb9517c01f77148dfb77ef304fd.tar.bz2 rneovim-a916696a130b2bb9517c01f77148dfb77ef304fd.zip | |
syntax.c: Prevent use after free for variable g:colors_name.
ASan spotted a problem when using 'set background={light,dark}' with
color scheme solarized.
While loading the colors for color scheme 'g:colors_name', the pointer
on the value for this variable can become invalid, because of an 'unlet
colors_name' (part of an :highlight clear, syntax.c:6173).
To prevent the use of the freed value, decouple the value from
'g:colors_name' before calling load_colors() with it.
Diffstat (limited to 'src/nvim/syntax.c')
| -rw-r--r-- | src/nvim/syntax.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/nvim/syntax.c b/src/nvim/syntax.c index 07f18bf93b..3f9466fd7c 100644 --- a/src/nvim/syntax.c +++ b/src/nvim/syntax.c @@ -5938,15 +5938,22 @@ init_highlight ( int i; char **pp; static int had_both = FALSE; - char_u *p; /* * Try finding the color scheme file. Used when a color file was loaded * and 'background' or 't_Co' is changed. */ - p = get_var_value((char_u *)"g:colors_name"); - if (p != NULL && load_colors(p) == OK) - return; + char_u *p = get_var_value((char_u *)"g:colors_name"); + if (p != NULL) { + // Value of g:colors_name could be freed in load_colors() and make + // p invalid, so copy it. + char_u *copy_p = vim_strsave(p); + bool okay = load_colors(copy_p); + free(copy_p); + if (okay) { + return; + } + } /* * Didn't use a color file, use the compiled-in colors. |